diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 0fb3f67f..5abbf033 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -5,20 +5,23 @@ on: merge_group: workflow_dispatch: push: - branches: ['master'] - -permissions: - contents: read + branches: ["master"] + pull_request: + types: + - opened + - synchronize jobs: rl-scanner: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request') runs-on: ubuntu-latest + environment: security + permissions: pull-requests: write - id-token: write - + id-token: write # This is required for requesting the JWT + steps: - name: Checkout code uses: actions/checkout@v4 @@ -32,7 +35,11 @@ jobs: shell: bash run: | gem build *.gemspec - + + - name: Get Artifact Version + id: get_version + run: echo "::set-output name=version::$(cat .version)" + - name: Output build artifact id: output_build_artifact run: | @@ -41,17 +48,13 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.10" - name: Install Python dependencies run: | pip install --upgrade pip pip install boto3 requests - - name: Get Artifact Version - id: get_version - run: echo "version=$(cat .version)" >> $GITHUB_ENV - - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: @@ -59,27 +62,21 @@ jobs: aws-region: us-east-1 mask-aws-account-id: true - - name: Install rl-wrapper + - name: Run Reversing Labs Wrapper Scanner env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + PYTHONUNBUFFERED: 1 run: | - pip install rl-wrapper --index-url $WRAPPER_INDEX_URL - - - name: Run Reversing Labs Wrapper Scanner - env: - RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - PYTHONUNBUFFERED: 1 - run: | - pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ - rl-wrapper \ - --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ - --version "${{ steps.get_version.outputs.version }}" \ - --name "${{ github.event.repository.name }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - continue-on-error: true \ No newline at end of file + pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ + rl-wrapper \ + --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ + --version "${{ steps.get_version.outputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + continue-on-error: true \ No newline at end of file