Update(sandbox): Add Netcat/Socat Remote Code Execution on Host rule #537
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rules | |
on: | |
pull_request: | |
branches: | |
- main | |
- release/* | |
push: | |
branches: | |
- main | |
jobs: | |
# retrieves the changed rules files and the Falco versions to be used | |
get-values: | |
runs-on: ubuntu-latest | |
outputs: | |
changed-files: ${{ steps.set-changed-files.outputs.changed-files }} | |
falco-versions: ${{ steps.set-falco-versions.outputs.versions }} | |
steps: | |
- name: Checkout rules | |
uses: actions/checkout@v4 | |
- name: Get changed files | |
id: changed-files | |
if: github.event_name == 'pull_request' | |
uses: Ana06/[email protected] | |
with: | |
format: space-delimited | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Find changed rules files | |
id: set-changed-files | |
run: | | |
# Find any changed file located under the /rules folder that matches the naming convention <ruleset>_rules.yaml. | |
# See https://github.com/falcosecurity/rules/blob/main/README.md#naming-convention for details. | |
# Additionally, if we skip changed-files because we're not in a pull request, | |
# then we consider all the rules contained in the repository. | |
all_files="${{ steps.changed-files.outputs.all }}" | |
values="" | |
if [ -z "$all_files" ]; then | |
values=$(ls rules/*_rules.yaml) | |
else | |
for changed_file in $all_files; do | |
if [[ "${changed_file}" =~ ^rules/[^/]*_rules\.yaml$ ]]; then | |
values=${values}${changed_file}$'\n' | |
fi | |
done | |
fi | |
echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT | |
- name: Read Falco versions | |
id: set-falco-versions | |
run: | | |
values="" | |
while read -r line | |
do | |
values="${values}${line}"$'\n' | |
done < "./.github/FALCO_VERSIONS" | |
echo "versions=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT | |
validate: | |
if: needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' | |
needs: get-values | |
strategy: | |
fail-fast: false | |
matrix: | |
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }} | |
falco-version: ${{ fromJson(needs.get-values.outputs.falco-versions) }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Golang | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.19.0" | |
- name: Checkout rules | |
uses: actions/checkout@v4 | |
- name: Build checker tool | |
working-directory: build/checker | |
run: go build -o rules-check | |
- name: Test checker tool | |
working-directory: build/checker | |
run: go test ./... -cover | |
- name: Validate rules file | |
run: | | |
build/checker/rules-check \ | |
validate \ | |
--falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \ | |
-r ${{ matrix.rules-file }} | |
check-version: | |
if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' | |
needs: get-values | |
env: | |
# note(jasondellaluce): using the most recent targeted Falco version | |
FALCO_VERSION: ${{ fromJson(needs.get-values.outputs.falco-versions)[0] }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Golang | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.19.0" | |
- name: Checkout rules | |
uses: actions/checkout@v4 | |
- name: Get all git tags | |
run: git fetch --tags origin | |
- name: Get changed files | |
uses: Ana06/[email protected] | |
id: changed | |
with: | |
format: space-delimited | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build checker tool | |
working-directory: build/checker | |
run: go build -o rules-check | |
- name: Test checker tool | |
working-directory: build/checker | |
run: go test ./... -cover | |
- name: Compare changed files with previous versions | |
id: compare | |
run: | | |
./.github/compare-rule-files.sh \ | |
"${{ matrix.rules-file }}" \ | |
result.txt \ | |
build/checker/rules-check \ | |
"falcosecurity/falco-no-driver:$FALCO_VERSION" | |
if [ -s result.txt ]; then | |
echo "comment_file=result.txt" >> $GITHUB_OUTPUT | |
fi | |
- name: Save PR info | |
if: steps.compare.outputs.comment_file != '' | |
run: | | |
mkdir -p ./pr | |
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }} | |
- name: Upload PR info as artifact | |
uses: actions/upload-artifact@v4 | |
if: steps.compare.outputs.comment_file != '' | |
with: | |
name: pr-${{ strategy.job-index }} | |
path: pr/ | |
retention-days: 1 | |
upload-pr-info: | |
needs: [get-values, check-version] | |
if: ${{ !cancelled() && github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download PR infos | |
uses: actions/download-artifact@v4 | |
with: | |
path: tmp-artifacts | |
- name: Save PR info | |
run: | | |
if [ ! -d "./tmp-artifacts/" ]; then | |
echo "No PR info found. Skipping." | |
exit 0 | |
fi | |
mkdir -p ./pr | |
echo ${{ github.event.number }} > ./pr/NR | |
touch ./pr/COMMENT | |
echo "# Rules files suggestions" >> ./pr/COMMENT | |
echo "" >> ./pr/COMMENT | |
files=$(find ./tmp-artifacts/) | |
for file in $files; do | |
if [[ "$file" =~ "COMMENT" ]]; then | |
cat "$file" >> ./pr/COMMENT | |
fi | |
done | |
echo Uploading PR info... | |
cat ./pr/COMMENT | |
echo "" | |
- name: Upload PR info as artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pr | |
path: pr/ | |
retention-days: 1 | |
if-no-files-found: warn |