diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml deleted file mode 100644 index f154981b6..000000000 --- a/.github/actions/rl-scanner/action.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: 'Reversing Labs Scanner' -description: 'Runs the Reversing Labs scanner on a specified artifact.' -inputs: - artifact-path: - description: 'Path to the artifact to be scanned.' - required: true - version: - description: 'Version of the artifact.' - required: true - -runs: - using: 'composite' - steps: - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.10' - - - name: Install Python dependencies - shell: bash - run: | - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Install RL Wrapper - shell: bash - env: - PRODSEC_TOOLS_USER: ${{ env.PRODSEC_TOOLS_USER }} - PRODSEC_TOOLS_TOKEN: ${{ env.PRODSEC_TOOLS_TOKEN }} - run: | - pip install rl-wrapper>=1.0.0 --index-url "https://${PRODSEC_TOOLS_USER}:${PRODSEC_TOOLS_TOKEN}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - - - name: Run RL Scanner - shell: bash - env: - RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} - RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} - SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} - PYTHONUNBUFFERED: 1 - ARTIFACT_PATH: ${{ inputs.artifact-path }} - ARTIFACT_VERSION: ${{ inputs.version }} - REPO_NAME: ${{ github.event.repository.name }} - REPO_FULL: ${{ github.repository }} - COMMIT_SHA: ${{ github.sha }} - run: | - if [ ! -f "$ARTIFACT_PATH" ]; then - echo "Artifact not found: $ARTIFACT_PATH" - exit 1 - fi - - rl-wrapper \ - --artifact "$ARTIFACT_PATH" \ - --name "$REPO_NAME" \ - --version "$ARTIFACT_VERSION" \ - --repository "$REPO_FULL" \ - --commit "$COMMIT_SHA" \ - --build-env "github_actions" \ - --suppress_output - - # Check the outcome of the scanner - if [ $? -ne 0 ]; then - echo "RL Scanner failed." - echo "scan-status=failed" >> $GITHUB_ENV - exit 1 - else - echo "RL Scanner passed." - echo "scan-status=success" >> $GITHUB_ENV - fi - -outputs: - scan-status: - description: 'The outcome of the scan process.' - value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index be16ee195..232883bc7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,9 +24,11 @@ jobs: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} rl-scanner-authentication: uses: ./.github/workflows/rl-secure.yml @@ -37,9 +39,11 @@ jobs: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} rl-scanner-management: uses: ./.github/workflows/rl-secure.yml @@ -50,9 +54,11 @@ jobs: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} auth: name: Auth0.Core + Auth0.AuthenticationApi diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml index 508f80368..762cfd846 100644 --- a/.github/workflows/rl-secure.yml +++ b/.github/workflows/rl-secure.yml @@ -17,12 +17,16 @@ on: required: true SIGNAL_HANDLER_TOKEN: required: true + SIGNAL_HANDLER_DOMAIN: + required: true PRODSEC_TOOLS_USER: required: true PRODSEC_TOOLS_TOKEN: required: true PRODSEC_TOOLS_ARN: required: true + PRODSEC_PYTHON_TOOLS_REPO: + required: true jobs: rl-scanner: @@ -63,17 +67,19 @@ jobs: - name: Run RL Scanner id: rl-scan-conclusion - uses: ./.github/actions/rl-scanner + uses: auth0/devsecops-tooling/.github/actions/rl-scan@main with: + artifact-name: ${{ inputs.artifact-name }} artifact-path: ${{ github.workspace }}/${{ inputs.artifact-name }} version: "${{ steps.get_version.outputs.version }}" - env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} - PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} - + PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }} + - name: Output scan result run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file