chore: rebrand RMA to Qryon #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Qryon Security Scan | |
| on: | |
| push: | |
| branches: [master, main] | |
| pull_request: | |
| branches: [master, main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| qryon-scan: | |
| name: Qryon Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download Qryon binary | |
| run: | | |
| # Get latest release or fallback to building | |
| LATEST=$(curl -s https://api.github.com/repos/bumahkib7/qryon/releases/latest | jq -r '.tag_name // empty') | |
| if [ -n "$LATEST" ]; then | |
| echo "Downloading Qryon $LATEST..." | |
| curl -sL "https://github.com/bumahkib7/qryon/releases/download/${LATEST}/qryon-x86_64-unknown-linux-gnu.tar.gz" | tar -xz | |
| chmod +x qryon | |
| ./qryon --version | |
| else | |
| echo "No release found, will build from source" | |
| echo "BUILD_FROM_SOURCE=true" >> $GITHUB_ENV | |
| fi | |
| - name: Install Rust (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo (if building) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: qryon-scan-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build Qryon (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| run: | | |
| cargo build --release --package rma-cli | |
| cp target/release/qryon ./qryon | |
| - name: Run Qryon scan | |
| id: scan | |
| run: | | |
| # Note: Excluding crypto/secret rules because rule definition files | |
| # intentionally contain vulnerable patterns as examples. | |
| # Excluding external/ and rules/ dirs which contain third-party code | |
| # and intentional vulnerable-pattern examples. | |
| # Severity warning+ to stay under GitHub's 5000 alert SARIF limit. | |
| ./qryon scan . \ | |
| --format sarif \ | |
| --output qryon-results.sarif \ | |
| --severity warning \ | |
| --skip-tests-all \ | |
| --exclude-rules "generic/hardcoded-secret,generic/insecure-crypto,generic/crypto-typestate" \ | |
| --exclude "external/**,crates/rules/rules/**,target/**" \ | |
| 2>&1 || true | |
| echo "Scan complete." | |
| if [ -f qryon-results.sarif ]; then | |
| RESULT_COUNT=$(jq '[.runs[].results[]] | length' qryon-results.sarif 2>/dev/null || echo "unknown") | |
| echo "SARIF results: ${RESULT_COUNT}" | |
| if [ "${RESULT_COUNT}" != "unknown" ] && [ "${RESULT_COUNT}" -gt 5000 ]; then | |
| echo "::warning::SARIF has ${RESULT_COUNT} results (GitHub limit is 5000). Truncating." | |
| jq '.runs[0].results = (.runs[0].results[:5000])' qryon-results.sarif > qryon-results-truncated.sarif | |
| mv qryon-results-truncated.sarif qryon-results.sarif | |
| fi | |
| echo "sarif-file=qryon-results.sarif" >> "$GITHUB_OUTPUT" | |
| jq -r '.runs[0].invocations[0].properties.metrics // "No metrics"' qryon-results.sarif || true | |
| fi | |
| - name: Upload SARIF to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: qryon-results.sarif | |
| category: qryon-security-scan |