Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit d579dc06 authored by Corey Bryant's avatar Corey Bryant Committed by GitHub
Browse files

Merge pull request #8686 from wmontwe/add-fluidattacks-scan 

[CASA] Add fluidattacks scanner
parents 7a3be480 8610a554

.github/workflows/fluidscan.yml

0 → 100644
+37 −0
Original line number Diff line number Diff line 
name: Fluidattacks - Code scanning

on:

  schedule:

    - cron: '0 10 * * 1'

  workflow_dispatch:



jobs:

  fluidattacks-scan:



    runs-on: ubuntu-latest



    permissions:

      # Needed to upload the results to code-scanning dashboard.

      security-events: write



    steps:

      - name: "Checkout code"

        uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222

        with:

          persist-credentials: false



      - name: "Run Fluidattacks scanner"

        run: |

          bash scripts/run-fluidattacks-scanner.sh



      - name: "Upload scan results"

        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3

        with:

          name: SARIF scan results

          path: fluidscan-results.sarif

          retention-days: 5



      # Upload the results to GitHub's code scanning dashboard.

      - name: "Upload to code-scanning"

        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7

        with:

          sarif_file: fluidscan-results.sarif

config/fluidattacks/config.yaml

0 → 100644
+28 −0
Original line number Diff line number Diff line 
# Taken from: https://appdefensealliance.dev/casa/tier-2/ast-guide/static-scan

# as that is out of date, updated to the latest version of the scanner, see below

# https://help.fluidattacks.com/portal/en/kb/articles/validate-casa-tier-2-requirements

namespace: thunderbird-android

working_dir: /repo

language: EN

output:

  file_path: /repo/fluidscan-results.sarif

  format: SARIF

#apk:

#  include:

#    - ./app-k9mail/build/outputs/apk/foss/release/app-k9mail-foss-release.apk

#    - ./app-k9mail/build/outputs/apk/full/release/app-k9mail-full-release.apk

#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk

#    - ./app-thunderbird/build/outputs/apk/foss/release/app-thunderbird-full-release.apk

sast:

  include:

    - .

  exclude:

    - glob(**/build/**)

    - glob(**/test/**)

sca:

  include:

    - .

  exclude:

    - glob(**/test/**)

file_size_limit: false

tracing_opt_out: true

scripts/run-fluidattacks-scanner.sh

0 → 100755
+31 −0
Original line number Diff line number Diff line 
#!/bin/bash



function fail() {

  echo "Error: $*"

  exit 1

}



# Check if tools are installed

command -v docker &> /dev/null || fail "Docker is not installed"



# Default values

debug=false



# Parse command-line arguments

for arg in "$@"; do

  case $arg in

    --debug)

      debug=true

      shift

      ;;

    *)

      fail "Unknown argument: $arg"

      ;;

  esac

done



if [ "$debug" = true ]; then

  docker run --rm -v "$(pwd)":/repo -it fluidattacks/cli:latest /bin/bash

  exit

fi

docker run --rm -v "$(pwd)":/repo fluidattacks/cli:latest skims scan /repo/config/fluidattacks/config.yaml