Skip to content

Commit ccde91b

Browse files
Merge pull request #2 from johnfosborneiii/main
adding sts and sarif gen
2 parents 46e3e28 + 5984206 commit ccde91b

4 files changed

Lines changed: 68 additions & 3 deletions

File tree

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Copyright 2024 Chainguard, Inc.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
issuer: https://token.actions.githubusercontent.com
5+
subject_pattern: repo:chainguard-dev/libraries-malcontent-demo:.*
6+
claim_pattern:
7+
job_workflow_ref: chainguard-dev/libraries-malcontent-demo/.github/workflows/scan-malware.yaml@.*
8+
9+
permissions:
10+
contents: write
11+
pull_requests: write
12+
workflows: write
13+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
14+
packages: write
15+
id-token: write
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: generate-sarif-malware-report
2+
3+
on:
4+
workflow_dispatch:
5+
6+
jobs:
7+
scan-python-malware:
8+
runs-on: ubuntu-latest
9+
permissions:
10+
actions: read
11+
security-events: write
12+
contents: write
13+
packages: write
14+
id-token: write
15+
16+
steps:
17+
- name: Checkout repository
18+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
19+
with:
20+
ref: ${{ github.ref }}
21+
fetch-depth: 0
22+
23+
- name: Set up Python
24+
uses: actions/setup-python@v5
25+
with:
26+
python-version: '3.12'
27+
28+
- name: Install dependencies
29+
run: pip install --no-cache-dir --upgrade pip
30+
31+
- name: Run SARIF conversion
32+
run: python generate-malcontent-sarif.py
33+
34+
- name: Upload SARIF to GitHub
35+
uses: github/codeql-action/upload-sarif@v2
36+
with:
37+
sarif_file: scans/malcontent-report.sarif
38+
39+
- name: Commit and push updated SARIF file
40+
run: |
41+
git config user.name "GitHub Actions"
42+
git config user.email "actions@github.com"
43+
git add scans/malcontent-report.sarif
44+
if git diff --cached --quiet; then
45+
echo "No changes to commit."
46+
else
47+
git commit -m "Update malware diff SARIF Report: v8.3.40 → v8.3.41"
48+
git push origin "${GITHUB_REF#refs/heads/}"

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,3 @@
1-
# libraries-malcontent-demo
1+
# libraries-malcontent-demo
2+
3+
gh extension install https://github.com/mario-campos/gh-code-scanning

generate-malcontent-sarif.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,9 @@
33
from pathlib import Path
44

55
# === CONFIGURATION ===
6-
input_path = "ultralytics-malcontent-diff-v8.3.40-v8.3.41.json"
6+
input_path = Path("scans/ultralytics-malcontent-diff-v8.3.40-v8.3.41.json")
77
sub_repo_path = "malcontent-samples/python/2024.ultralytics/v8.3.41"
8-
output_path = "scans/malcontent-report.sarif"
8+
output_path = Path("scans/malcontent-report.sarif")
99

1010
# === DETERMINE LOCAL REPO ROOT ===
1111
local_repo_root = Path.cwd() / sub_repo_path

0 commit comments

Comments
 (0)