diff --git a/.github/workflows/scripts/codeScan/trellix.sh b/.github/workflows/scripts/codeScan/trellix.sh new file mode 100644 index 0000000000..8cd13e0906 --- /dev/null +++ b/.github/workflows/scripts/codeScan/trellix.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# Copyright (c) 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +source ${workspace}/.github/workflows/scripts/change_color +log_dir=${workspace}/.github/workflows/scripts/codeScan + + +echo "---Updating definition (DAT) files ---" +DEFS_URL=https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000 +echo "Finding latest defs at $DEFS_URL/avvdat.ini..." \ + && wget -q $DEFS_URL/avvdat.ini \ + && echo "SUCCESS" || fail + +inifile="avvdat.ini" +filename=`awk -F"=" '$2 ~ /avvdat.*zip/ { print $2 } ' $inifile` +filename2="$(echo -e "${filename}" | tr -d '[:space:]')" + +if [ -z "$filename2" ] +then + echo "Cannot get defs information from INI file:" + cat $inifile + fail +fi + +echo "Downloading latest defs from $DEFS_URL/$filename2..." \ + && wget -q $DEFS_URL/$filename2 \ + && echo "SUCCESS" || fail + +echo "Extracting latest defs..." \ + && unzip -o $filename2 -d /usr/local/uvscan \ + && echo "SUCCESS" || fail + +echo "--- Scanning ---" +ENV_SCAN_OPTS="--analyze --mime --program --recursive --unzip --threads 4 --summary --verbose --html=${workspace}/.github/workflows/scripts/codeScan/report.html" +echo "Scan Options: $ENV_SCAN_OPTS" + +rm -r ${workspace}/avvdat* +rm -r ${workspace}/.git +uvscan $ENV_SCAN_OPTS ${workspace} 2>&1 | tee ${log_dir}/trellix.log + + +if [[ $(grep "Possibly Infected" ${log_dir}/trellix.log | sed 's/[^0-9]//g') != 0 ]]; then + $BOLD_RED && echo "Error!! Please Click on the artifact button to download and check error details." && $RESET + exit 1 +fi + +$BOLD_PURPLE && echo "Congratulations, Trellix Scan passed!" && $LIGHT_PURPLE && echo " You can click on the artifact button to see the log details." && $RESET +exit 0 diff --git a/.github/workflows/trellix.yml b/.github/workflows/trellix.yml new file mode 100644 index 0000000000..27d1d5f4ce --- /dev/null +++ b/.github/workflows/trellix.yml @@ -0,0 +1,38 @@ +# Copyright (c) 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Trellix Command Line Scanner + +on: + workflow_dispatch: + schedule: + - cron: "35 1 * * 6" + +jobs: + Trellix: + runs-on: trellix + steps: + - name: Checkout out Repo + uses: actions/checkout@v4 + + - name: Run Trellix Scanner + env: + workspace: ${{ github.workspace }} + run: bash .github/workflows/scripts/codeScan/trellix.sh + + - name: Publish pipeline artifact + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v4 + with: + path: ${{ github.workspace }}/.github/workflows/scripts/codeScan/report.html