-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
174 lines (157 loc) · 5.58 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: 'gh-action-rl-scanner-cloud-composite'
author: 'ReversingLabs'
description: 'Scan an artifact with ReversingLabs Spectra Assure Portal'
branding:
icon: 'shield'
color: 'purple'
# we expect 'RLPORTAL_ACCESS_TOKEN' to be defined as a secret and available in the enviroment
inputs:
rl-verbose:
description: 'Make the scanner more verbose'
required: false
default: false
# type: bool
artifact-to-scan:
description: 'Path to the package file (artifact) you want to scan'
required: true
# type: string
report-path:
description: 'Path to a directory where the reports will be saved (must be a new directory, with a path relative to the github.workspace)'
required: false
default: MyReportDir
# type: string
rl-portal-server:
description: 'the server namespace used for your company'
required: true
# type: string
rl-portal-org:
description: 'the organisation set up on the portal server for your company'
required: true
# type: string
rl-portal-group:
description: 'the group you want the scan to use (you must be a member of that group)'
required: true
# type: string
rl-package-url:
description: 'A package url to use for this scan'
required: false
default: ""
# type: string
rl-diff-with:
description: 'Perform a diff scan against the provided version'
required: false
default: ""
# type: string
rl-submit-only:
description: 'Optionally do not wait for the scan result: bool: default False'
required: false
default: false
# type: bool
rl-timeout:
description: 'Amount of time (in minutes), the user is willing to wait for analysis before failing'
required: false
default: 20
# type: int
rl-proxy-server:
description: 'An optional proxy server to use'
required: false
default: ""
# type: string
rl-proxy-port:
description: 'An optional proxy server port to use'
required: false
default: ""
# type: string
rl-proxy-user:
description: 'An optional proxy server user to use'
required: false
default: ""
# type: string
rl-proxy-password:
description: 'An optional proxy server password to use'
required: false
default: ""
# type: string
ref-sha:
description: 'Reference SHA of the commit or pull request'
required: false
default: ${{ github.event.pull_request.head.sha || github.sha }}
outputs:
description:
description: 'The result of the action: a string terminating in FAIL or PASS'
value: ${{ steps.rl-scan.outputs.description }}
status:
description: 'The single word result of the action: success, failure or error'
value: ${{ steps.rl-scan.outputs.status }}
runs:
using: "composite"
steps:
# -------------------------------------------
# Set the analysis status to pending
- name: Set the pending status
uses: ouzi-dev/commit-status-updater@219d3f932547cad092e384c7a36bf4d963739c35 # v2.0.1
with:
addHoldComment: "true"
# -------------------------------------------
# Run the reversinglabs/rl-scanner-cloud
- name: ReversingLabs apply rl-scanner-cloud to the build artifact
id: rl-scan
uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
with: # we expect RLPORTAL_ACCESS_TOKEN to be set in the environment
rl-verbose: ${{ inputs.rl-verbose }}
rl-portal-server: ${{ inputs.rl-portal-server }}
rl-portal-org: ${{ inputs.rl-portal-org }}
rl-portal-group: ${{ inputs.rl-portal-group }}
artifact-to-scan: ${{ inputs.artifact-to-scan }}
report-path: ${{ inputs.report-path }}
rl-package-url: ${{ inputs.rl-package-url }}
rl-diff-with: ${{ inputs.rl-diff-with }}
rl-submit-only: ${{ inputs.rl-submit-only }}
rl-timeout: ${{ inputs.rl-timeout }}
rl-proxy-server: ${{ inputs.rl-proxy-server }}
rl-proxy-port: ${{ inputs.rl-proxy-port }}
rl-proxy-user: ${{ inputs.rl-proxy-user }}
rl-proxy-password: ${{ inputs.rl-proxy-password }}
# -------------------------------------
# Upload the secure.software report to GitHub
# Note: It is currently not possible to get the URL for the uploaded asset
- name: Upload the rl-scanner report
if: success() || failure()
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: "report-${{ inputs.ref-sha }}"
path: "${{ inputs.report-path }}"
# -------------------------------------
# Upload the Spectra Assure SARIF report to GitHub
- name: Upload the SARIF report
if: success() || failure()
uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3
with:
sarif_file: "${{ inputs.report-path }}/report.sarif.json"
category: rl-secure-scanner
# -------------------------------------
# Update the status from pending to failure/success and set the descriptive text
- name: Set the analysis status
if: success() || failure()
uses: ouzi-dev/commit-status-updater@219d3f932547cad092e384c7a36bf4d963739c35 # v2.0.1
with:
addHoldComment: "true"
description: ${{ steps.rl-scan.outputs.description }}
status: ${{ steps.rl-scan.outputs.status }}
# -------------------------------------
# Return the proper exit status
- name: Set the exit status
if: always()
shell: bash
run: |
case "${{ steps.rl-scan.outputs.status }}" in
success)
exit 0
;;
failure)
exit 1
;;
*)
exit 101
;;
esac