-
Notifications
You must be signed in to change notification settings - Fork 4
53 lines (51 loc) · 2.27 KB
/
malware-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# (C) Copyright 2023 Hewlett Packard Enterprise Development LP
name: Malware Scan
on:
pull_request:
push:
branches:
- main
- master
jobs:
scan_repository:
name: "Scan Virus on Repository"
runs-on: "ubuntu-latest"
permissions:
id-token: write
contents: read
steps:
- name: "Checkout Repository"
uses: "actions/[email protected]"
with:
fetch-depth: 0
- name: "Scan Source for Viruses"
id: scan
run: |
SHA_SHORT=$(git rev-parse --short HEAD)
SCAN_OUTPUT=/tmp/clamav-repository-results-${{ github.event.repository.name }}-${SHA_SHORT}-$(date +%s).txt
echo "scan_output=${SCAN_OUTPUT}" >> $GITHUB_OUTPUT
docker run --rm -v ${{ github.workspace }}:/scandir -v /tmp:/tmp -e SCAN_OUTPUT=${SCAN_OUTPUT} clamav/clamav:stable clamscan --infected --recursive --max-files=0 --max-filesize=0 --max-scansize=0 --max-recursion=1000 --max-dir-recursion=1000 /scandir | tee -a $SCAN_OUTPUT
INFECTED_FILES=$(grep ^Infected $SCAN_OUTPUT | awk '{print $NF}')
echo "infected_files=${INFECTED_FILES}" >> $GITHUB_OUTPUT
exit $INFECTED_FILES
- name: "Configure AWS Credentials"
if: always()
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::522637239241:role/s3-avscan-upload
role-session-name: malware-scan-upload
aws-region: us-west-2
- name: "Upload Source Scan Results"
if: always()
run: aws s3 cp ${{ steps.scan.outputs.scan_output }} s3://glcs-cloud-security-dev-avscan.hpe-hcss.hpe.com/
- name: "Tag Scan Upload"
if: always()
run: |
GH_OWNER=${{ github.repository_owner }}
GH_REPO=${{ github.event.repository.name }}
INFECTED_FILES=${{ steps.scan.outputs.infected_files }}
OBJECT_KEY=`basename ${{ steps.scan.outputs.scan_output }}`
aws s3api put-object-tagging \
--bucket glcs-cloud-security-dev-avscan.hpe-hcss.hpe.com \
--key $OBJECT_KEY \
--tagging "{\"TagSet\": [{ \"Key\": \"github_owner\", \"Value\": \"$GH_OWNER\" },{ \"Key\": \"github_repository\", \"Value\": \"$GH_REPO\"},{\"Key\": \"infected_files\", \"Value\": \"$INFECTED_FILES\"}]}"