File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # Copyright 2024 Chainguard, Inc.
2+ # SPDX-License-Identifier: Apache-2.0
3+
4+ issuer : https://token.actions.githubusercontent.com
5+ subject_pattern : repo:chainguard-dev/libraries-malcontent-demo:.*
6+ claim_pattern :
7+ job_workflow_ref : chainguard-dev/libraries-malcontent-demo/.github/workflows/scan-malware.yaml@.*
8+
9+ permissions :
10+ contents : write
11+ pull_requests : write
12+ workflows : write
13+ security-events : write # for github/codeql-action/upload-sarif to upload SARIF results
14+ packages : write
15+ id-token : write
Original file line number Diff line number Diff line change 1+ name : generate-sarif-malware-report
2+
3+ on :
4+ workflow_dispatch :
5+
6+ jobs :
7+ scan-python-malware :
8+ runs-on : ubuntu-latest
9+ permissions :
10+ actions : read
11+ security-events : write
12+ contents : write
13+ packages : write
14+ id-token : write
15+
16+ steps :
17+ - name : Checkout repository
18+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
19+ with :
20+ ref : ${{ github.ref }}
21+ fetch-depth : 0
22+
23+ - name : Set up Python
24+ uses : actions/setup-python@v5
25+ with :
26+ python-version : ' 3.12'
27+
28+ - name : Install dependencies
29+ run : pip install --no-cache-dir --upgrade pip
30+
31+ - name : Run SARIF conversion
32+ run : python generate-malcontent-sarif.py
33+
34+ - name : Upload SARIF to GitHub
35+ uses : github/codeql-action/upload-sarif@v2
36+ with :
37+ sarif_file : scans/malcontent-report.sarif
38+
39+ - name : Commit and push updated SARIF file
40+ run : |
41+ git config user.name "GitHub Actions"
42+ git config user.email "actions@github.com"
43+ git add scans/malcontent-report.sarif
44+ if git diff --cached --quiet; then
45+ echo "No changes to commit."
46+ else
47+ git commit -m "Update malware diff SARIF Report: v8.3.40 → v8.3.41"
48+ git push origin "${GITHUB_REF#refs/heads/}"
Original file line number Diff line number Diff line change 1- # libraries-malcontent-demo
1+ # libraries-malcontent-demo
2+
3+ gh extension install https://github.com/mario-campos/gh-code-scanning
Original file line number Diff line number Diff line change 33from pathlib import Path
44
55# === CONFIGURATION ===
6- input_path = " ultralytics-malcontent-diff-v8.3.40-v8.3.41.json"
6+ input_path = Path ( "scans/ ultralytics-malcontent-diff-v8.3.40-v8.3.41.json")
77sub_repo_path = "malcontent-samples/python/2024.ultralytics/v8.3.41"
8- output_path = "scans/malcontent-report.sarif"
8+ output_path = Path ( "scans/malcontent-report.sarif" )
99
1010# === DETERMINE LOCAL REPO ROOT ===
1111local_repo_root = Path .cwd () / sub_repo_path
You can’t perform that action at this time.
0 commit comments