First pass

.github/actions/rl-scanner/action.yml

@@ -0,0 +1,66 @@
+name: 'Reversing Labs Scanner'
+description: 'Runs the Reversing Labs scanner on a specified artifact.'
+inputs:
+  artifact-path:
+    description: 'Path to the artifact to be scanned.'
+    required: true
+  version:
+    description: 'Version of the artifact.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+outputs:
+  scan-status:
+    description: 'The outcome of the scan process.'
+    value: ${{ env.scan-status }}

.github/workflows/release.yml

@@ -47,3 +47,15 @@ jobs:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           # GitHub sets this automatically
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # TODO
+  # rl-scanner:
+  #   uses: ./.github/workflows/rl-scanner.yml
+  #   secrets:
+  #     RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+  #     RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+  #     SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+  #     PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+  #     PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+  #     PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+  #   needs: goreleaser

.github/workflows/rl-scanner.yml

@@ -0,0 +1,174 @@
+name: Post-Release Scan
+
+on:
+  push:
+    branches:
+      - hjet/add-rl-scan
+  workflow_call:
+    inputs:
+      version_tag:
+        type: string
+        description: "Release version to scan"
+        required: true
+        default: "v0.5.3"
+    secrets:
+      RLSECURE_LICENSE:
+        required: true
+      RLSECURE_SITE_KEY:
+        required: true
+      SIGNAL_HANDLER_TOKEN:
+        required: true
+      PRODSEC_TOOLS_USER:
+        required: true
+      PRODSEC_TOOLS_TOKEN:
+        required: true
+      PRODSEC_TOOLS_ARN:
+        required: true
+
+env:
+  VERSION_TAG: ${{ inputs.version_tag || 'v0.5.3' }}
+
+jobs:
+  verify-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Confirm gh CLI is installed
+        run: |
+          which gh
+          gh --version
+
+      - name: Download latest release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release download $VERSION_TAG \
+            --repo "${{ github.repository }}" \
+            --clobber
+
+          echo "Downloaded all release files:"
+          ls -l || echo "No files downloaded."
+
+      - name: Verify checksums
+        run: |
+          CHECKSUM_FILE=$(ls -1 *_SHA256SUMS 2>/dev/null || true)
+          if [ -z "$CHECKSUM_FILE" ]; then
+            echo "No SHA256SUMS file found; failing the job..."
+            exit 1
+          fi
+
+          echo "Verifying checksums with $CHECKSUM_FILE..."
+          sha256sum --check "$CHECKSUM_FILE"
+      
+      - name: Gather zip files
+        id: gather-zips
+        run: |
+          ZIPS=$(ls -1 *.zip 2>/dev/null)
+          if [ -z "$ZIPS" ]; then
+            echo "No ZIP files found to scan; failing..."
+            exit 1
+          fi
+
+          echo "Found ZIP files:"
+          echo "$ZIPS"
+
+          ZIPS_JSON=$(echo "$ZIPS" | jq -R . | jq -s .)
+          echo "zips=$ZIPS_JSON" >> $GITHUB_OUTPUT
+      
+      - name: Upload ZIP artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: zips
+          path: "*.zip"
+
+  scan-artifacts:
+    needs: verify-release
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        zip-file: ${{ fromJson(needs.verify-release.outputs.zips) }}
+    steps:
+      - name: Download ZIP artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: zips
+          path: "."
+
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: List files
+        run: ls -l
+
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
+        with:
+          artifact-path: "$(pwd)/${{ matrix.zip-file }}"
+          version: "${{ env.VERSION_TAG }}"
+        env:
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+      - name: Output scan result
+        run: |
+          # Store the RL Scanner outcome in the GITHUB_ENV with a unique key per zip file
+          echo "scan-status-${{ matrix.zip-file }}=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV
+
+
+
+
+
+
+
+
+
+
+
+
+
+      - name: Unzip first artifact
+        run: |
+          FIRST_ZIP=$(ls -1 *.zip 2>/dev/null | head -n1)
+          if [ -z "$FIRST_ZIP" ]; then
+            echo "No ZIP files found to unzip; failing..."
+            exit 1
+          fi
+
+          echo "First artifact: $FIRST_ZIP"
+          mkdir extracted
+          unzip -q "$FIRST_ZIP" -d extracted
+          echo "Contents of extracted/:"
+          ls -l extracted
+
+      - name: SHA of unzipped artifact
+        run: |
+          FIRST_FILE=$(ls -1 extracted | head -n1)
+          if [ -z "$FIRST_FILE" ]; then
+            echo "No files in 'extracted/' directory; failing..."
+            exit 1
+          fi
+
+          echo "Computing SHA of extracted/$FIRST_FILE ..."
+          sha256sum "extracted/$FIRST_FILE"
+
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
+        with:
+          artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
+          version: "${{ steps.get_version.outputs.version }}"
+        env:
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+      - name: Output scan result
+        run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV