From df13ae017760724b37302ecef5ef414dcd791dd0 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 30 Oct 2024 00:17:28 +0530 Subject: [PATCH 1/9] Added reversing labs scanner support --- .github/actions/rl-scanner/action.yml | 73 +++++++++++++++++++++++++++ .github/workflows/rl-scanner | 63 +++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 .github/actions/rl-scanner/action.yml create mode 100644 .github/workflows/rl-scanner diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 00000000..bc3f1022 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,73 @@ + +name: 'RL-Security-Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + + +runs: + using: 'composite' + steps: + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: 'us-east-1' + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --version "${{ inputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} diff --git a/.github/workflows/rl-scanner b/.github/workflows/rl-scanner new file mode 100644 index 00000000..12ddd753 --- /dev/null +++ b/.github/workflows/rl-scanner @@ -0,0 +1,63 @@ +name: RL-Security-Scanner +run-name: rl-security-scanner + + +on: + pull_request: + types: + - closed + workflow_dispatch: + + + permissions: + id-token: write + contents: write + + +jobs: + rl-scanner: + name: Run Reversing Labs Scanner + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && github.event.pull_request.base.ref == 'master' && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up + uses: ./.github/actions/setup + + - name: Build package + shell: bash + run: | + zip -r auth0-swift.zip ./* + + + - name: Get Artifact Version + id: get_version + run: | + version=$(awk -F'"' '/let version/ {print $2}' Auth0/Version.swift) + echo "version=$version" >> $GITHUB_OUTPUT + + + - name: Run Reversing Labs Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner + with: + artifact-path: "$(pwd)/auth0-swift.zip" + version: "${{ steps.get_version.outputs.version }}" + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file From 345e5d329436c05d53005fa4aaf0ba1613db9496 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 30 Oct 2024 00:25:16 +0530 Subject: [PATCH 2/9] Added changes to test the RL workflow --- .github/workflows/rl-scanner | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/rl-scanner b/.github/workflows/rl-scanner index 12ddd753..a72fda8a 100644 --- a/.github/workflows/rl-scanner +++ b/.github/workflows/rl-scanner @@ -3,6 +3,9 @@ run-name: rl-security-scanner on: + push: + branches: + - 'reversing_labs' pull_request: types: - closed From e9c287b542e6f7f93e8057c157c9ae13a857181d Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 30 Oct 2024 00:35:46 +0530 Subject: [PATCH 3/9] Resolved wrong file name --- .github/workflows/{rl-scanner => rl-scanner.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{rl-scanner => rl-scanner.yml} (100%) diff --git a/.github/workflows/rl-scanner b/.github/workflows/rl-scanner.yml similarity index 100% rename from .github/workflows/rl-scanner rename to .github/workflows/rl-scanner.yml From 13fa50a9437385a125f38b053b50282854825f8d Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 30 Oct 2024 00:38:06 +0530 Subject: [PATCH 4/9] Permissions name resolved --- .github/workflows/rl-scanner.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index a72fda8a..180140b7 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -12,7 +12,7 @@ on: workflow_dispatch: - permissions: +permissions: id-token: write contents: write @@ -20,7 +20,7 @@ on: jobs: rl-scanner: name: Run Reversing Labs Scanner - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && github.event.pull_request.base.ref == 'master' && startsWith(github.event.pull_request.head.ref, 'release/')) + # if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && github.event.pull_request.base.ref == 'master' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} From a27ebb5ae8525e5cc10838477e5bdc82d3a85cce Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 30 Oct 2024 00:48:30 +0530 Subject: [PATCH 5/9] adding xcode version for the set up error --- .github/workflows/rl-scanner.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 180140b7..ab5471c4 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -25,6 +25,12 @@ jobs: outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + strategy: + matrix: + xcode: + - '15.0.1' + steps: - name: Checkout code @@ -33,7 +39,9 @@ jobs: fetch-depth: 0 - name: Set up - uses: ./.github/actions/setup + uses: ./.github/actions/setup + with: + xcode: ${{ matrix.xcode }} - name: Build package shell: bash From d3a521336d17bee4d5605cb715d9633286c3f677 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Thu, 31 Oct 2024 13:57:51 +0530 Subject: [PATCH 6/9] Adding x86_64-linux platform to the bundle lock --- .github/actions/setup/action.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 617792c9..af54311c 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -22,3 +22,9 @@ runs: with: xcode: ${{ inputs.xcode }} action: none + + - name: Add x86_64-linux platform to Gemfile.lock + run: bundle lock --add-platform x86_64-linux + + - name: Install dependencies + run: bundle install --jobs 4 \ No newline at end of file From cb7013f2cb69b80605e886cd8e086cc4db4c03ea Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Thu, 31 Oct 2024 14:04:52 +0530 Subject: [PATCH 7/9] Removed the setup --- .github/actions/setup/action.yml | 8 +------- .github/workflows/rl-scanner.yml | 1 - 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index af54311c..55bd744f 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -21,10 +21,4 @@ runs: uses: mxcl/xcodebuild@6e60022a0cbe8c89278be2dd1773a2f68e7c5c87 with: xcode: ${{ inputs.xcode }} - action: none - - - name: Add x86_64-linux platform to Gemfile.lock - run: bundle lock --add-platform x86_64-linux - - - name: Install dependencies - run: bundle install --jobs 4 \ No newline at end of file + action: none \ No newline at end of file diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index ab5471c4..932ab80b 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -31,7 +31,6 @@ jobs: xcode: - '15.0.1' - steps: - name: Checkout code uses: actions/checkout@v4 From 11ddb5dc61a0ece66322f4a12a4e1a1ec3c40989 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Thu, 31 Oct 2024 14:07:50 +0530 Subject: [PATCH 8/9] Resolving the rl error --- .github/workflows/rl-scanner.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 932ab80b..e7f97635 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -37,11 +37,6 @@ jobs: with: fetch-depth: 0 - - name: Set up - uses: ./.github/actions/setup - with: - xcode: ${{ matrix.xcode }} - - name: Build package shell: bash run: | From 93e3e044f635b49f0bb49a24ebcb3c5fada8ed62 Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Thu, 31 Oct 2024 21:29:40 +0530 Subject: [PATCH 9/9] Validation done removing testing code --- .github/workflows/rl-scanner.yml | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index e7f97635..2d3edeaf 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,35 +1,28 @@ name: RL-Security-Scanner run-name: rl-security-scanner - on: - push: - branches: - - 'reversing_labs' pull_request: types: - closed workflow_dispatch: - permissions: - id-token: write - contents: write - + id-token: write + contents: write jobs: rl-scanner: name: Run Reversing Labs Scanner - # if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && github.event.pull_request.base.ref == 'master' && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && github.event.pull_request.base.ref == 'master' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} - strategy: - matrix: - xcode: - - '15.0.1' + matrix: + xcode: + - "15.0.1" steps: - name: Checkout code @@ -40,8 +33,7 @@ jobs: - name: Build package shell: bash run: | - zip -r auth0-swift.zip ./* - + zip -r auth0-swift.zip ./* - name: Get Artifact Version id: get_version @@ -49,7 +41,6 @@ jobs: version=$(awk -F'"' '/let version/ {print $2}' Auth0/Version.swift) echo "version=$version" >> $GITHUB_OUTPUT - - name: Run Reversing Labs Scanner id: rl-scan-conclusion uses: ./.github/actions/rl-scanner @@ -65,4 +56,4 @@ jobs: PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - name: Output scan result - run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV