diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml new file mode 100644 index 0000000..aeabaa4 --- /dev/null +++ b/.github/workflows/rl-scanner.yml @@ -0,0 +1,93 @@ +name: RL-Secure +run-name: rl-scanner + +on: + merge_group: + workflow_dispatch: + push: + branches: ["main"] + pull_request: + types: + - opened + - synchronize + +jobs: + rl-scanner: + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request') + runs-on: ubuntu-latest + + environment: security + + permissions: + pull-requests: write + id-token: write # This is required for requesting the JWT + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha || github.ref }} + + - name: Setup PHP + uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 + with: + php-version: 8.1 + + - name: Install dependencies + shell: bash + run: | + composer install --prefer-dist + + - name: List file contents + run: | + ls -la + + - name: Build PHP Package + shell: bash + run: | + zip -r auth0-php-package.zip + + - name: Get Artifact Version + id: get_version + run: echo "::set-output name=version::$(cat .version)" + + - name: Output build artifact + id: output_build_artifact + run: | + echo "scanfile=$(ls auth0-php-package.zip)" >> $GITHUB_OUTPUT + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: "3.10" + + - name: Install Python dependencies + run: | + pip install --upgrade pip + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Run Reversing Labs Wrapper Scanner + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + PYTHONUNBUFFERED: 1 + run: | + pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ + rl-wrapper \ + --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ + --version "${{ steps.get_version.outputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + continue-on-error: true \ No newline at end of file