1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
---
name: IP Leak Scan
permissions: read-all
on:
workflow_dispatch:
# allow direct call to support testing updates to disposition DB
inputs:
db_ref:
description: 'The branch, tag or SHA to get DB from'
default: ipldt
type: string
output_prefix:
description: 'Prefix to add to output artifacts'
required: false
default: ''
type: string
docker_opts:
description: 'extra options for docker build'
required: false
default: ''
type: string
workflow_call:
inputs:
db_ref:
description: 'The branch, tag or SHA to get DB from'
required: false
type: string
output_prefix:
description: 'Prefix to add to output artifacts'
required: false
default: ''
type: string
docker_opts:
description: 'extra options for docker build'
required: false
type: string
jobs:
scan:
runs-on: [self-hosted, Linux, docker]
steps:
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
- name: Checkout PR branch
uses: actions/checkout@v4
with:
path: source
- name: Build Docker image
run: >
docker build ${{ inputs.docker_opts }}
-f "source/.github/workflows/ipldt/Dockerfile.ubuntu.ipldt"
--build-arg USER_ID=$(id -u)
--build-arg GROUP_ID=$(id -g)
-t vpl_ipldt:ubuntu
--build-arg "IPLDB_TOOL_URL=${{ vars.IPLDB_TOOL_URL }}"
"source/.github/workflows/ipldt"
- name: Checkout Dispositions
uses: actions/checkout@v4
with:
path: db
ref: ${{ inputs.db_ref || 'ipldt' }}
- name: Package Source
run: |
pushd source
git archive HEAD -o ../source.zip
popd
- name: Scan source in container
continue-on-error: false
run: |
cat <<'EOL' > action.sh
#!/bin/bash
set -x
set +o errexit
set -o pipefail
/opt/ipldt3_lin_intel64/ipldt3_lin_intel64 \
-i source.zip \
-c 37 \
--usedb db/ipldt_results.ip.db \
--usedb db/ipldt_results.ipevt.db \
--usedb db/ipldt_results.tm.db \
-s db/stringfile.yaml.0 \
--db-rel-path \
--gendb _logs/ip-leak-scan/hits-linux.db \
--r-overwrite \
--r _logs/ip-leak-scan \
| tee _logs/ipldt.txt
ret=$?
set +o pipefail
exit $ret
EOL
chmod +x action.sh
mkdir -p _logs/ip-leak-scan
docker run --rm -v $PWD:/working -w /working \
vpl_ipldt:ubuntu ./action.sh
mv _logs/ipldt.txt _logs/ip-leak-scan/ipldt_results.txt
- name: Report
if: success() || failure()
run: |
echo '```' >> $GITHUB_STEP_SUMMARY
cat _logs/ip-leak-scan/ipldt_results.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Record Artifacts
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: ${{ inputs.output_prefix }}ip-leak-scan
path: _logs/ip-leak-scan
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
|
