1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
---
name: Security Scan for Compiled Binaries
permissions: read-all
on:
workflow_call:
inputs:
output_prefix:
description: 'Prefix to add to output artifacts'
required: false
default: ''
type: string
os:
description: 'Operating system'
required: true
type: string
artifact_name:
description: 'Artifact to scan'
required: true
type: string
jobs:
scan:
runs-on: [self-hosted, "${{ inputs.os }}"]
steps:
- name: Cleanup workspace (Linux)
if: always() && runner.os == 'Linux'
run: sudo rm -rf ..?* .[!.]* *
- name: Cleanup workspace (Windows)
if: always() && runner.os == 'Windows'
run: Remove-Item -Recurse -Force .\*
- name: Download package
uses: actions/download-artifact@v4
with:
name: ${{ inputs.artifact_name }}
path: package
- name: Extract package (Linux)
if: success() && runner.os == 'Linux'
run: unzip package/*.zip -d _install
- name: Extract package (Windows)
if: success() && runner.os == 'Windows'
run: Expand-Archive -Force -Path package\*.zip -DestinationPath _install
- name: Checkout PR branch
uses: actions/checkout@v4
with:
path: source
ref: ${{ github.event.pull_request.head.sha }}
- name: Build Docker image (Linux)
if: success() && runner.os == 'Linux'
run: >
docker build "source/.github/workflows/sscb"
-f "source/.github/workflows/sscb/Dockerfile.ubuntu.sscb"
--build-arg USER_ID=$(id -u)
--build-arg GROUP_ID=$(id -g)
-t vpl_sscb:ubuntu
--build-arg "SSCB_TOOL_URL=${{ vars.COMPILER_SETTINGS_TOOL_URL }}"
- name: Run SSCB Scan (Linux)
if: success() && runner.os == 'Linux'
run: |
cat >action.sh <<EOL
#!/bin/bash
set -x
set -o errexit ; set -o nounset
sscb run --path _install --outpath _logs --report_name Linux
EOL
chmod +x action.sh
docker run --rm -v $PWD:/work -w /work vpl_sscb:ubuntu \
/work/action.sh
- name: Run SSCB Scan (Windows)
if: success() && runner.os == 'Windows'
run: |
py -m venv venv
venv\Scripts\activate
py -m pip install --upgrade pip
py -m pip install ${{ vars.COMPILER_SETTINGS_TOOL_URL }} --use-pep517
sscb run --path "_install" --outpath "_logs" --report_name Windows
- name: Filter dispositioned issues (Linux)
if: success() && runner.os == 'Linux'
run: |
output=$(python3 source/.github/workflows/sscb/tool.py \
_logs/SSCB_SCAN_results-Linux.json \
source/.github/workflows/sscb/config.yaml)
echo "$output"
if [[ "$output" == "Fail" ]]; then
echo "Failure detected."
exit 1
else
echo "No failure detected."
fi
- name: Filter dispositioned issue (Windows)
if: success() && runner.os == 'Windows'
run: |
py -m pip install pyyaml
$output = py source\.github\workflows\sscb\tool.py `
_logs\SSCB_SCAN_results-Windows.json `
source\.github\workflows\sscb\config.yaml
Write-Output $output
if ($output -like '*Status: Fail*') {
Write-Output "Failure detected."
exit 1
} else {
Write-Output "No failure detected."
}
- name: Copy config.yaml to _logs (Linux)
if: success() && runner.os == 'Linux'
run: |
sudo cp source/.github/workflows/sscb/config.yaml _logs/
- name: Copy config.yaml to _logs (Windows)
if: success() && runner.os == 'Windows'
run: |
cp source\.github\workflows\sscb\config.yaml _logs\
- name: Record Artifacts
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: ${{ inputs.OS }}-${{ inputs.output_prefix }}sscb
path: _logs/*
- name: Cleanup workspace (Linux)
if: always() && runner.os == 'Linux'
run: sudo rm -rf ..?* .[!.]* *
- name: Cleanup workspace (Windows)
if: always() && runner.os == 'Windows'
run: Remove-Item -Recurse -Force .\*
|
