Continuous Building

Author: jonathanlinat

.github/actions/_shared/scan-virustotal/action.yml

@@ -0,0 +1,240 @@
+inputs:
+  ARTIFACT_FILE_PATH:
+    required: true
+    description: Absolute path to the file to scan
+  VIRUSTOTAL_API_KEY:
+    required: true
+    description: VirusTotal API key
+  SCAN_RESULTS_PATH:
+    required: true
+    description: Path where scan results JSON will be saved
+runs:
+  using: composite
+  steps:
+    - name: Calculate file hash
+      id: file-hash
+      working-directory: ${{ github.workspace }}
+      run: |
+        set -euo pipefail
+        FILE_HASH=$(sha256sum "${{ inputs.ARTIFACT_FILE_PATH }}" | awk '{print $1}')
+        echo "FILE_HASH=${FILE_HASH}" >> $GITHUB_OUTPUT
+        echo "📄 File: $(basename "${{ inputs.ARTIFACT_FILE_PATH }}")"
+        echo "🔑 SHA-256: ${FILE_HASH}"
+      shell: bash
+    - name: Scan with VirusTotal
+      id: virustotal-scan
+      uses: crazy-max/ghaction-virustotal@d34968c958ae283fe976efed637081b9f9dcf74f
+      with:
+        vt_api_key: ${{ inputs.VIRUSTOTAL_API_KEY }}
+        files: ${{ inputs.ARTIFACT_FILE_PATH }}
+        vt_monitor: false
+    - name: Wait for VirusTotal analysis to complete
+      run: |
+        echo "⏳ Waiting 45 seconds for VirusTotal analysis to complete..."
+        echo "   (Respecting API rate limits: 4 lookups/min)"
+        sleep 45
+      shell: bash
+    - name: Fetch and parse VirusTotal results
+      id: vt-results
+      working-directory: ${{ github.workspace }}
+      run: |
+        set -euo pipefail
+        
+        VT_URL="${{ steps.virustotal-scan.outputs.analysis }}"
+        FILE_HASH="${{ steps.file-hash.outputs.FILE_HASH }}"
+        
+        echo "🔍 Fetching VirusTotal results..."
+        
+        # Extract file ID from URL (sha256 hash)
+        if [[ "$VT_URL" =~ /file/([a-f0-9]+) ]]; then
+          FILE_ID="${BASH_REMATCH[1]}"
+        else
+          FILE_ID="$FILE_HASH"
+        fi
+        
+        # Fetch analysis results from VirusTotal API
+        VT_RESPONSE=$(curl -s --request GET \
+          --url "https://www.virustotal.com/api/v3/files/${FILE_ID}" \
+          --header "x-apikey: ${{ inputs.VIRUSTOTAL_API_KEY }}")
+        
+        # Extract detection stats
+        MALICIOUS=$(echo "$VT_RESPONSE" | jq -r '.data.attributes.last_analysis_stats.malicious // 0')
+        SUSPICIOUS=$(echo "$VT_RESPONSE" | jq -r '.data.attributes.last_analysis_stats.suspicious // 0')
+        UNDETECTED=$(echo "$VT_RESPONSE" | jq -r '.data.attributes.last_analysis_stats.undetected // 0')
+        HARMLESS=$(echo "$VT_RESPONSE" | jq -r '.data.attributes.last_analysis_stats.harmless // 0')
+        
+        # Extract individual engine results
+        DETECTIONS=$(echo "$VT_RESPONSE" | jq -r '
+          .data.attributes.last_analysis_results | 
+          to_entries | 
+          map(select(.value.category == "malicious" or .value.category == "suspicious")) |
+          map({engine: .key, category: .value.category, result: .value.result}) |
+          .[]' | jq -s '.')
+        
+        echo "MALICIOUS=${MALICIOUS}" >> $GITHUB_OUTPUT
+        echo "SUSPICIOUS=${SUSPICIOUS}" >> $GITHUB_OUTPUT
+        echo "UNDETECTED=${UNDETECTED}" >> $GITHUB_OUTPUT
+        echo "HARMLESS=${HARMLESS}" >> $GITHUB_OUTPUT
+        echo "DETECTIONS<<EOF" >> $GITHUB_OUTPUT
+        echo "$DETECTIONS" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+        
+        echo "📊 Detection Stats:"
+        echo "  Malicious: ${MALICIOUS}"
+        echo "  Suspicious: ${SUSPICIOUS}"
+        echo "  Undetected: ${UNDETECTED}"
+        echo "  Harmless: ${HARMLESS}"
+      shell: bash
+    - name: Analyze detections for false positives
+      id: analyze-fp
+      working-directory: ${{ github.workspace }}
+      run: |
+        set -euo pipefail
+        
+        MALICIOUS=${{ steps.vt-results.outputs.MALICIOUS }}
+        SUSPICIOUS=${{ steps.vt-results.outputs.SUSPICIOUS }}
+        DETECTIONS='${{ steps.vt-results.outputs.DETECTIONS }}'
+        
+        # Known false positive patterns for game development tools
+        FP_PATTERNS=(
+          "Generic"
+          "Heur"
+          "Heuristic"
+          "PUA"
+          "PUP"
+          "Potentially"
+          "Unsafe"
+          "Suspect"
+          "BehavesLike"
+          "Artemis"
+          "ML\."
+          "DDS:"
+          "HEUR:"
+          "Gen:"
+        )
+        
+        # Known problematic engines with high false positive rates for legitimate software
+        FP_ENGINES=(
+          "Cyren"
+          "Cylance"
+          "Sangfor"
+          "VBA32"
+          "MaxSecure"
+          "Gridinsoft"
+          "Jiangmin"
+        )
+        
+        LEGITIMATE_DETECTIONS=0
+        FALSE_POSITIVE_COUNT=0
+        
+        if [ "$MALICIOUS" -gt 0 ] || [ "$SUSPICIOUS" -gt 0 ]; then
+          echo "⚠️  Analyzing $(( MALICIOUS + SUSPICIOUS )) detections..."
+          
+          # Check each detection
+          echo "$DETECTIONS" | jq -c '.[]' | while read -r detection; do
+            ENGINE=$(echo "$detection" | jq -r '.engine')
+            RESULT=$(echo "$detection" | jq -r '.result')
+            
+            IS_FP=false
+            
+            # Check if engine is known for false positives
+            for fp_engine in "${FP_ENGINES[@]}"; do
+              if [[ "$ENGINE" == "$fp_engine" ]]; then
+                IS_FP=true
+                echo "  ✓ ${ENGINE}: ${RESULT} (Known FP engine)"
+                break
+              fi
+            done
+            
+            # Check if result matches false positive patterns
+            if [ "$IS_FP" = false ]; then
+              for pattern in "${FP_PATTERNS[@]}"; do
+                if echo "$RESULT" | grep -qi "$pattern"; then
+                  IS_FP=true
+                  echo "  ✓ ${ENGINE}: ${RESULT} (FP pattern: ${pattern})"
+                  break
+                fi
+              done
+            fi
+            
+            # If not a false positive, count as legitimate threat
+            if [ "$IS_FP" = false ]; then
+              echo "  ⚠️  ${ENGINE}: ${RESULT} (POTENTIAL THREAT)"
+              LEGITIMATE_DETECTIONS=$((LEGITIMATE_DETECTIONS + 1))
+            else
+              FALSE_POSITIVE_COUNT=$((FALSE_POSITIVE_COUNT + 1))
+            fi
+          done
+          
+          # Save detection analysis results
+          echo "$LEGITIMATE_DETECTIONS" > /tmp/legitimate_detections.txt
+          echo "$FALSE_POSITIVE_COUNT" > /tmp/false_positive_count.txt
+        else
+          echo "✅ No detections found"
+          echo "0" > /tmp/legitimate_detections.txt
+          echo "0" > /tmp/false_positive_count.txt
+        fi
+        
+        LEGIT=$(cat /tmp/legitimate_detections.txt 2>/dev/null || echo "0")
+        FP=$(cat /tmp/false_positive_count.txt 2>/dev/null || echo "0")
+        
+        echo "LEGITIMATE_THREATS=${LEGIT}" >> $GITHUB_OUTPUT
+        echo "FALSE_POSITIVES=${FP}" >> $GITHUB_OUTPUT
+        
+        # Determine verdict
+        if [ "$LEGIT" -gt 0 ]; then
+          echo "VERDICT=BLOCKED" >> $GITHUB_OUTPUT
+          echo "🚨 VERDICT: BLOCKED - ${LEGIT} legitimate threat(s) detected"
+        else
+          echo "VERDICT=PASSED" >> $GITHUB_OUTPUT
+          echo "✅ VERDICT: PASSED - All detections are false positives"
+        fi
+      shell: bash
+    - name: Save scan results
+      working-directory: ${{ github.workspace }}
+      run: |
+        set -euo pipefail
+        
+        FILENAME=$(basename "${{ inputs.ARTIFACT_FILE_PATH }}")
+        RESULTS_FILE="${{ inputs.SCAN_RESULTS_PATH }}/${FILENAME}.json"
+        
+        mkdir -p "$(dirname "${RESULTS_FILE}")"
+        
+        # Create JSON structure with comprehensive scan results
+        cat > "${RESULTS_FILE}" << EOFRESULTS
+        {
+          "filename": "${FILENAME}",
+          "filepath": "${{ inputs.ARTIFACT_FILE_PATH }}",
+          "sha256": "${{ steps.file-hash.outputs.FILE_HASH }}",
+          "scan_date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+          "virustotal": {
+            "analysis_url": "${{ steps.virustotal-scan.outputs.analysis }}",
+            "status": "scanned",
+            "stats": {
+              "malicious": ${{ steps.vt-results.outputs.MALICIOUS }},
+              "suspicious": ${{ steps.vt-results.outputs.SUSPICIOUS }},
+              "undetected": ${{ steps.vt-results.outputs.UNDETECTED }},
+              "harmless": ${{ steps.vt-results.outputs.HARMLESS }}
+            },
+            "detections": ${{ steps.vt-results.outputs.DETECTIONS }},
+            "analysis": {
+              "legitimate_threats": ${{ steps.analyze-fp.outputs.LEGITIMATE_THREATS }},
+              "false_positives": ${{ steps.analyze-fp.outputs.FALSE_POSITIVES }},
+              "verdict": "${{ steps.analyze-fp.outputs.VERDICT }}"
+            }
+          }
+        }
+        EOFRESULTS
+        
+        echo "✅ Scan results saved to: ${RESULTS_FILE}"
+        echo "🔗 VirusTotal Analysis: ${{ steps.virustotal-scan.outputs.analysis }}"
+        echo "📊 Verdict: ${{ steps.analyze-fp.outputs.VERDICT }}"
+        
+        # Fail the action if legitimate threats are detected
+        if [ "${{ steps.analyze-fp.outputs.VERDICT }}" = "BLOCKED" ]; then
+          echo "❌ SCAN FAILED: Legitimate threats detected!"
+          echo "   Legitimate threats: ${{ steps.analyze-fp.outputs.LEGITIMATE_THREATS }}"
+          echo "   False positives: ${{ steps.analyze-fp.outputs.FALSE_POSITIVES }}"
+          exit 1
+        fi
+      shell: bash

.github/actions/continuous-releasing/release-starter-kit/action.yml

@@ -13,7 +13,7 @@ runs:
     - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b
       with:
         allowUpdates: true
-        artifacts: ${{ inputs.CICD_PROJECT_SLUG }}-${{ inputs.CICD_CURRENT_DATE }}-windows.zip,${{ inputs.CICD_PROJECT_SLUG }}-${{ inputs.CICD_CURRENT_DATE }}-linux.zip
+        artifacts: ${{ inputs.CICD_PROJECT_SLUG }}-${{ inputs.CICD_CURRENT_DATE }}-windows.zip,${{ inputs.CICD_PROJECT_SLUG }}-${{ inputs.CICD_CURRENT_DATE }}-linux.zip,${{ inputs.CICD_PROJECT_SLUG }}-scan/SECURITY-SCAN-REPORT.md,${{ inputs.CICD_PROJECT_SLUG }}-scan/scan-report.json
         bodyFile: ${{ inputs.CICD_PROJECT_SLUG }}/RELEASE_NOTES.md
         makeLatest: false
         name: ${{ inputs.CICD_PROJECT_ACRONYM }} v${{ inputs.CICD_CURRENT_DATE }} (${{ inputs.GIT_CURRENT_COMMIT_HEAD_SHA }})