Skip to content

Commit

Permalink
Squashed all commits on implement-reversinglab-scanner
Browse files Browse the repository at this point in the history
  • Loading branch information
developerkunal committed Oct 30, 2024
1 parent 60579b1 commit 8edd85f
Show file tree
Hide file tree
Showing 8 changed files with 164 additions and 85 deletions.
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @auth0/dx-sdks-engineer
* @auth0/project-dx-sdks-engineer-codeowner
71 changes: 71 additions & 0 deletions .github/actions/rl-scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: 'Reversing Labs Scanner'
description: 'Runs the Reversing Labs scanner on a specified artifact.'
inputs:
artifact-path:
description: 'Path to the artifact to be scanned.'
required: true
version:
description: 'Version of the artifact.'
required: true

runs:
using: 'composite'
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Install Python dependencies
shell: bash
run: |
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
- name: Run RL Scanner
shell: bash
env:
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
if [ ! -f "${{ inputs.artifact-path }}" ]; then
echo "Artifact not found: ${{ inputs.artifact-path }}"
exit 1
fi
rl-wrapper \
--artifact "${{ inputs.artifact-path }}" \
--name "${{ github.event.repository.name }}" \
--version "${{ inputs.version }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
# Check the outcome of the scanner
if [ $? -ne 0 ]; then
echo "RL Scanner failed."
echo "scan-status=failed" >> $GITHUB_ENV
exit 1
else
echo "RL Scanner passed."
echo "scan-status=success" >> $GITHUB_ENV
fi
outputs:
scan-status:
description: 'The outcome of the scan process.'
value: ${{ env.scan-status }}
9 changes: 1 addition & 8 deletions .github/workflows/browserstack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Browserstack
on:
merge_group:
workflow_dispatch:
pull_request_target:
pull_request:
types:
- opened
- synchronize
Expand All @@ -22,15 +22,8 @@ env:
NODE_VERSION: 18

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

browserstack:
needs: authorize

name: BrowserStack Tests
runs-on: ubuntu-latest
Expand Down
15 changes: 14 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,24 @@ permissions:
### TODO: Also remove `npm-release` workflow from this repo's .github/workflows folder once the repo is public.

jobs:
rl-scanner:
uses: ./.github/workflows/rl-secure.yml
with:
node-version: 18
artifact-name: 'auth0-spa-js.tgz'
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
release:
uses: ./.github/workflows/npm-release.yml
needs: rl-scanner
with:
node-version: 18
require-build: true
secrets:
npm-token: ${{ secrets.NPM_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
97 changes: 54 additions & 43 deletions .github/workflows/rl-secure.yml
Original file line number Diff line number Diff line change
@@ -1,56 +1,67 @@
name: RL-Secure Workflow
run-name: rl-scanner-only
description: Workflow for scanning build artifacts with RL-Secure

on:
push:
branches: [ "main" ]
pull_request_target:
types:
- opened
- synchronize
workflow_call:
inputs:
node-version:
required: true
type: string
artifact-name:
required: true
type: string
secrets:
RLSECURE_LICENSE:
required: true
RLSECURE_SITE_KEY:
required: true
SIGNAL_HANDLER_TOKEN:
required: true
PRODSEC_TOOLS_USER:
required: true
PRODSEC_TOOLS_TOKEN:
required: true
PRODSEC_TOOLS_ARN:
required: true

jobs:
checkout-build-scan-only:
description: Checkout, build, and scan the project
rl-scanner:
name: Run Reversing Labs Scanner
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
runs-on: ubuntu-latest

permissions:
statuses: write
pull-requests: write
outputs:
scan-status: ${{ steps.rl-scan-conclusion.outcome }}

steps:
- uses: actions/checkout@v4
- name: Create build artifact
id: build
shell: bash
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Build package
uses: ./.github/actions/build
with:
node: ${{ inputs.node-version }}

- name: Create tgz build artifact
run: |
# Install dependencies
npm install
# Zip the project with dependencies
zip -r auth0-spa-js.zip . -x node_modules/\*
tar -czvf ${{ inputs.artifact-name }} *
# Set the scanfile output parameter
echo "scanfile=auth0-spa-js.zip" >> $GITHUB_OUTPUT
- id: get_version
uses: ./.github/actions/get-version

- name: Scan packages with rl-secure
id: scan
- name: Run RL Scanner
id: rl-scan-conclusion
uses: ./.github/actions/rl-scanner
with:
artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
version: "${{ steps.get_version.outputs.version }}"
env:
RLSECURE_ENCODED_LICENSE: ${{ secrets.RLSECURE_ENCODED_LICENSE }}
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
uses: reversinglabs/gh-action-rl-scanner-only@v1
with:
artifact-to-scan: ${{ steps.build.outputs.scanfile }}
report-path: "My_Report_Dir"
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

- name: Get the scan status output
if: success() || failure()
run: |
echo "The status is: '${{ steps.scan.outputs.status }}'"
echo "The description is: '${{ steps.scan.outputs.description }}'"
- name: Show analysis report
if: success() || failure()
shell: bash
run: |
ls -la
ls -l 'My_Report_Dir'
- name: Output scan result
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV
9 changes: 1 addition & 8 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Semgrep

on:
merge_group:
pull_request_target:
pull_request:
types:
- opened
- synchronize
Expand All @@ -20,15 +20,8 @@ concurrency:
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
needs: authorize # Require approval before running on forked pull requests

name: Check for Vulnerabilities
runs-on: ubuntu-latest
Expand Down
9 changes: 1 addition & 8 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Snyk
on:
merge_group:
workflow_dispatch:
pull_request_target:
pull_request:
types:
- opened
- synchronize
Expand All @@ -21,15 +21,8 @@ concurrency:
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest
Expand Down
37 changes: 21 additions & 16 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 8edd85f

Please sign in to comment.