Skip to content

Commit

Permalink
Add RL-Secure workflow for scanning build artifacts (#634)
Browse files Browse the repository at this point in the history
### Changes

Please describe both what is changing and why this is important.
Include:

- Endpoints added, deleted, deprecated, or changed
- Classes and methods added, deleted, deprecated, or changed
- Screenshots of new or changed UI, if applicable
- A summary of usage if this is a new feature or change to a public API
(this should also be added to relevant documentation once released)
- Any alternative designs or approaches considered

### References

Please include relevant links supporting this change such as a:

- support ticket
- community post
- StackOverflow post
- support forum thread

### Testing

Please describe how this can be tested by reviewers. Be specific about
anything not tested and reasons why. If this library has unit and/or
integration testing, tests should be added for new functionality and
existing tests should complete without errors.

- [ ] This change adds unit test coverage
- [ ] This change adds integration test coverage
- [ ] This change has been tested on the latest version of the
platform/language or why not

### Checklist

- [ ] I have read the [Auth0 general contribution
guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
- [ ] I have read the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
- [ ] All existing and new tests complete without errors
  • Loading branch information
developerkunal authored Oct 30, 2024
1 parent 94c7e3d commit 49b8be4
Show file tree
Hide file tree
Showing 3 changed files with 170 additions and 1 deletion.
71 changes: 71 additions & 0 deletions .github/actions/rl-scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: "Reversing Labs Scanner"
description: "Runs the Reversing Labs scanner on a specified artifact."
inputs:
artifact-path:
description: "Path to the artifact to be scanned."
required: true
version:
description: "Version of the artifact."
required: true

runs:
using: "composite"
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.10"

- name: Install Python dependencies
shell: bash
run: |
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
- name: Run RL Scanner
shell: bash
env:
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
if [ ! -f "${{ inputs.artifact-path }}" ]; then
echo "Artifact not found: ${{ inputs.artifact-path }}"
exit 1
fi
rl-wrapper \
--artifact "${{ inputs.artifact-path }}" \
--name "${{ github.event.repository.name }}" \
--version "${{ inputs.version }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
# Check the outcome of the scanner
if [ $? -ne 0 ]; then
echo "RL Scanner failed."
echo "scan-status=failed" >> $GITHUB_ENV
exit 1
else
echo "RL Scanner passed."
echo "scan-status=success" >> $GITHUB_ENV
fi
outputs:
scan-status:
description: "The outcome of the scan process."
value: ${{ env.scan-status }}
15 changes: 14 additions & 1 deletion .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,23 @@ permissions:
id-token: write # Required for trusted publishing to PyPI

jobs:
rl-scanner:
uses: ./.github/workflows/rl-scanner.yml
with:
node-version: 18
artifact-name: "auth0-python.tgz"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
publish-pypi:
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
name: "PyPI"
runs-on: ubuntu-latest
needs: rl-scanner
environment: release

steps:
Expand All @@ -23,7 +36,7 @@ jobs:
with:
fetch-depth: 0
fetch-tags: true

# Get the version from the branch name
- id: get_version
uses: ./.github/actions/get-version
Expand Down
85 changes: 85 additions & 0 deletions .github/workflows/rl-scanner.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: RL-Secure Workflow
name: RL-Secure Workflow

on:
workflow_call:
inputs:
python-version:
required: true
type: string
artifact-name:
required: true
type: string
secrets:
RLSECURE_LICENSE:
required: true
RLSECURE_SITE_KEY:
required: true
SIGNAL_HANDLER_TOKEN:
required: true
PRODSEC_TOOLS_USER:
required: true
PRODSEC_TOOLS_TOKEN:
required: true
PRODSEC_TOOLS_ARN:
required: true

jobs:
checkout-build-scan-only:
runs-on: ubuntu-latest

permissions:
pull-requests: write
id-token: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true

- name: Configure Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}

- name: Configure dependencies
run: |
pip install --user --upgrade pip
pip install --user pipx
pipx ensurepath
pipx install poetry==1.4.2
pip install --upgrade pip
pip install boto3 requests
poetry config virtualenvs.in-project true
poetry install --with dev
poetry self add "poetry-dynamic-versioning[plugin]==1.1.1"
- name: Build release
run: |
poetry build
- name: Create tgz build artifact
run: |
tar -czvf ${{ inputs.artifact-name }} *
- name: Get Artifact Version
id: get_version
run: echo "version=$(cat .version)" >> $GITHUB_ENV

- name: Run RL Scanner
id: rl-scan-conclusion
uses: ./.github/actions/rl-scanner
with:
artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
version: "${{ steps.get_version.outputs.version }}"
env:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

- name: Output scan result
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV

0 comments on commit 49b8be4

Please sign in to comment.