diff --git a/CITATION.cff b/CITATION.cff new file mode 100644 index 0000000..a220c40 --- /dev/null +++ b/CITATION.cff @@ -0,0 +1,17 @@ +# yaml-language-server: $schema=https://citation-file-format.github.io/1.2.0/schema.json +cff-version: "1.2.0" +title: "Scan Virus (GitHub Action)" +message: "If you use this software, please cite it using the metadata from this file." +type: "software" +authors: + - name: "hugoalh" +repository-code: "https://github.com/hugoalh/scan-virus-ghaction" +keywords: + - "anti-malware" + - "anti-virus" + - "antivirus" + - "gh-action" + - "ghaction" + - "github-action" + - "scan" +license: "MIT" diff --git a/Dockerfile b/Dockerfile index b5268fe..6a3072c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,5 +38,5 @@ RUN freshclam --verbose COPY lib checkout.ts deno.jsonc main.ts ${SVGHA_ROOT}/ RUN cd $SVGHA_ROOT && deno cache checkout.ts main.ts -RUN deno run --allow-all --cached-only --unstable-kv $SVGHA_ROOT/checkout.ts -CMD deno run --allow-all --cached-only --unstable-kv $SVGHA_ROOT/main.ts +RUN deno run --allow-all --cached-only $SVGHA_ROOT/checkout.ts +CMD deno run --allow-all --cached-only $SVGHA_ROOT/main.ts diff --git a/LICENSE.md b/LICENSE.md index c13a245..048bdbb 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ # MIT License -Copyright © 2021\~2023 hugoalh +Copyright © 2021\~2024 hugoalh Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: diff --git a/README.md b/README.md index dea309c..8b516e4 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ This does not provide any guarantee that carefully hidden objects will be scanne ### GitHub Actions -- **Target Version:** >= v2.311.0, &: +- **Target Version:** >= v2.314.0, &: - Docker - **Require Permission:** *N/A* @@ -77,7 +77,9 @@ When this input is `false`, will ignore inputs: ### `clamav_customassets_artifact` -`` Artifact name of the ClamAV custom assets, which the artifact must uploaded in the same workflow run and before this action. When this is not defined, will ignore input [`clamav_customassets_use`](#clamav_customassets_use). +`` Artifact name of the ClamAV custom assets, which the artifact must uploaded in the same workflow run and before this action. + +When this input is not defined, will ignore input [`clamav_customassets_use`](#clamav_customassets_use). ### `clamav_customassets_use` @@ -99,15 +101,17 @@ When this input is `false`, will ignore inputs: ### `yara_customassets_artifact` -`` Artifact name of the YARA custom assets, which the artifact must uploaded in the same workflow run and before this action. When this is not defined, will ignore input [`yara_customassets_use`](#yara_customassets_use). +`` Artifact name of the YARA custom assets, which the artifact must uploaded in the same workflow run and before this action. + +When this input is not defined, will ignore input [`yara_customassets_use`](#yara_customassets_use). ### `yara_customassets_use` `` YARA custom assets to use, by regular expression of relative paths in the input [`yara_customassets_artifact`](#yara_customassets_artifact), separate each regular expression per line; By default, all of the YARA custom assets are in use. -### `git_integrate` +### `git_iterate` -`` Whether to integrate with Git to perform scan by every commits; Require working directory is a Git repository. +`` Whether to iterate Git commits to perform scan by every commits; Require working directory is a Git repository. When this input is `false`, will ignore inputs: @@ -118,27 +122,27 @@ When this input is `false`, will ignore inputs: ### `git_ignores` -`>` Ignores Git commits, by JavaScript function and must return type of `boolean` (`true` to ignore). Ignored Git commits will not be scanned. - -> **Available contexts:** -> -> - **`authorDate`:** `` Git commit author date. -> - **`authorEmail`:** `` Git commit author e-mail. -> - **`authorName`:** `` Git commit author name. -> - **`body`:** `` Git commit body. -> - **`commitHash`:** `` Git commit commit hash. -> - **`committerDate`:** `` Git commit committer date. -> - **`committerEmail`:** `` Git commit committer e-mail. -> - **`committerName`:** `` Git commit committer name. -> - **`encoding`:** `` Git commit encoding. -> - **`notes`:** `` Git commit notes. -> - **`parentHashes`:** `` Git commit parent hashes. -> - **`reflogIdentityEmail`:** `` Git commit reflog identity e-mail. -> - **`reflogIdentityName`:** `` Git commit reflog identity name. -> - **`reflogSelector`:** `` Git commit reflog selector. -> - **`reflogSubject`:** `` Git commit reflog subject. -> - **`subject`:** `` Git commit subject. -> - **`treeHash`:** `` Git commit tree hash. +`>` Ignore Git commits to not be scanned, by JavaScript function and must return type of `boolean` (`true` to ignore). + +**Available Contexts:** + +- **`authorDate`:** `` Git commit author date. +- **`authorEmail`:** `` Git commit author e-mail. +- **`authorName`:** `` Git commit author name. +- **`body`:** `` Git commit body. +- **`commitHash`:** `` Git commit commit hash. +- **`committerDate`:** `` Git commit committer date. +- **`committerEmail`:** `` Git commit committer e-mail. +- **`committerName`:** `` Git commit committer name. +- **`encoding`:** `` Git commit encoding. +- **`notes`:** `` Git commit notes. +- **`parentHashes`:** `` Git commit parent hashes. +- **`reflogIdentityEmail`:** `` Git commit reflog identity e-mail. +- **`reflogIdentityName`:** `` Git commit reflog identity name. +- **`reflogSelector`:** `` Git commit reflog selector. +- **`reflogSubject`:** `` Git commit reflog subject. +- **`subject`:** `` Git commit subject. +- **`treeHash`:** `` Git commit tree hash. For example, to ignore Git commits made by Dependabot, and ignore Git commits made by OctoCat before 2022-01-01: @@ -155,11 +159,13 @@ git_ignores: |- ### `git_lfs` -`` Whether to process Git LFS files. +`` Whether to allow Git LFS process through entire Git commits iteration. ### `git_limit` -`` Limit on how many Git commits will scan, counting is affected by inputs [`git_ignores`](#git_ignores) and [`git_reverse`](#git_reverse); When this value is `0`, means no limit. +`` Limit the number of Git commits will be scanned, counting is affected by inputs [`git_ignores`](#git_ignores) and [`git_reverse`](#git_reverse). + +When this input is `0`, means no limit. > [!IMPORTANT] > For actions which run on the GitHub-host, it is highly recommended to define this due to the limit of the job execution time (currently is `6 hours`). @@ -173,32 +179,32 @@ git_ignores: |- ### `ignores` -`>` Ignores elements before the scan, by JavaScript function and must return type of `boolean` (`true` to ignore). Ignored elements will not be scanned. - -To ignore only by the Git commits, use input [`git_ignores`](#git_ignores) is more efficiency. To ignore only by the tools, use inputs `*_enable` is more efficiency. - -> **Available contexts:** -> -> - **`gitCommit.authorDate`:** `` Git commit author date. Only exists when the session is on a Git commit. -> - **`gitCommit.authorEmail`:** `` Git commit author e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.authorName`:** `` Git commit author name. Only exists when the session is on a Git commit. -> - **`gitCommit.body`:** `` Git commit body. Only exists when the session is on a Git commit. -> - **`gitCommit.commitHash`:** `` Git commit commit hash. Only exists when the session is on a Git commit. -> - **`gitCommit.committerDate`:** `` Git commit committer date. Only exists when the session is on a Git commit. -> - **`gitCommit.committerEmail`:** `` Git commit committer e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.committerName`:** `` Git commit committer name. Only exists when the session is on a Git commit. -> - **`gitCommit.encoding`:** `` Git commit encoding. Only exists when the session is on a Git commit. -> - **`gitCommit.notes`:** `` Git commit notes. Only exists when the session is on a Git commit. -> - **`gitCommit.parentHashes`:** `` Git commit parent hashes. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogIdentityEmail`:** `` Git commit reflog identity e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogIdentityName`:** `` Git commit reflog identity name. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogSelector`:** `` Git commit reflog selector. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogSubject`:** `` Git commit reflog subject. Only exists when the session is on a Git commit. -> - **`gitCommit.subject`:** `` Git commit subject. Only exists when the session is on a Git commit. -> - **`gitCommit.treeHash`:** `` Git commit tree hash. Only exists when the session is on a Git commit. -> - **`path`:** `` Relative path based on the current working directory without `./` (e.g.: `relative/path/to/file.extension`). -> - **`session`:** `` `"Current"` or Git commit hash (equivalent with `gitCommit.commitHash`). -> - **`tool`:** `` Tool ID (e.g.: `"clamav"`). +`>` Ignore elements to not be scanned, by JavaScript function and must return type of `boolean` (`true` to ignore). + +To ignore only by the Git commits, use input [`git_ignores`](#git_ignores) is more efficiency. To ignore only by the tools, use inputs `_enable` is more efficiency. + +**Available Contexts:** + +- **`gitCommit.authorDate`:** `` Git commit author date. Only exists when the session is on a Git commit. +- **`gitCommit.authorEmail`:** `` Git commit author e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.authorName`:** `` Git commit author name. Only exists when the session is on a Git commit. +- **`gitCommit.body`:** `` Git commit body. Only exists when the session is on a Git commit. +- **`gitCommit.commitHash`:** `` Git commit commit hash. Only exists when the session is on a Git commit. +- **`gitCommit.committerDate`:** `` Git commit committer date. Only exists when the session is on a Git commit. +- **`gitCommit.committerEmail`:** `` Git commit committer e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.committerName`:** `` Git commit committer name. Only exists when the session is on a Git commit. +- **`gitCommit.encoding`:** `` Git commit encoding. Only exists when the session is on a Git commit. +- **`gitCommit.notes`:** `` Git commit notes. Only exists when the session is on a Git commit. +- **`gitCommit.parentHashes`:** `` Git commit parent hashes. Only exists when the session is on a Git commit. +- **`gitCommit.reflogIdentityEmail`:** `` Git commit reflog identity e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.reflogIdentityName`:** `` Git commit reflog identity name. Only exists when the session is on a Git commit. +- **`gitCommit.reflogSelector`:** `` Git commit reflog selector. Only exists when the session is on a Git commit. +- **`gitCommit.reflogSubject`:** `` Git commit reflog subject. Only exists when the session is on a Git commit. +- **`gitCommit.subject`:** `` Git commit subject. Only exists when the session is on a Git commit. +- **`gitCommit.treeHash`:** `` Git commit tree hash. Only exists when the session is on a Git commit. +- **`path`:** `` Relative path based on the current working directory without `./` (e.g.: `relative/path/to/file.extension`). +- **`session`:** `` `"Current"` or Git commit hash (equivalent with `gitCommit.commitHash`). +- **`tool`:** `` Tool ID (e.g.: `"clamav"`). For example, to ignore path `node_modules`: @@ -212,39 +218,45 @@ ignores: |- ### `report_filter` -`>` Filter the report after the scan, by JavaScript function and must return type of `Severity`. By default, all of the symbols are high severity. - -To ignore only by the paths and/or sessions, use input [`ignores`](#ignores) is more efficiency. To ignore only by the Git commits, use input [`git_ignores`](#git_ignores) is more efficiency. To ignore only by the tools, use inputs `*_enable` is more efficiency. - -> **Available contexts:** -> -> - **`gitCommit.authorDate`:** `` Git commit author date. Only exists when the session is on a Git commit. -> - **`gitCommit.authorEmail`:** `` Git commit author e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.authorName`:** `` Git commit author name. Only exists when the session is on a Git commit. -> - **`gitCommit.body`:** `` Git commit body. Only exists when the session is on a Git commit. -> - **`gitCommit.commitHash`:** `` Git commit commit hash. Only exists when the session is on a Git commit. -> - **`gitCommit.committerDate`:** `` Git commit committer date. Only exists when the session is on a Git commit. -> - **`gitCommit.committerEmail`:** `` Git commit committer e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.committerName`:** `` Git commit committer name. Only exists when the session is on a Git commit. -> - **`gitCommit.encoding`:** `` Git commit encoding. Only exists when the session is on a Git commit. -> - **`gitCommit.notes`:** `` Git commit notes. Only exists when the session is on a Git commit. -> - **`gitCommit.parentHashes`:** `` Git commit parent hashes. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogIdentityEmail`:** `` Git commit reflog identity e-mail. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogIdentityName`:** `` Git commit reflog identity name. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogSelector`:** `` Git commit reflog selector. Only exists when the session is on a Git commit. -> - **`gitCommit.reflogSubject`:** `` Git commit reflog subject. Only exists when the session is on a Git commit. -> - **`gitCommit.subject`:** `` Git commit subject. Only exists when the session is on a Git commit. -> - **`gitCommit.treeHash`:** `` Git commit tree hash. Only exists when the session is on a Git commit. -> - **`path`:** `` Relative path based on the current working directory without `./` (e.g.: `relative/path/to/file.extension`). -> - **`session`:** `` `"Current"` or Git commit hash (equivalent with `gitCommit.commitHash`). -> - **`symbol`:** `` Rule or signature (e.g.: `"Heuristics.Broken.Media.GIF.TruncatedScreenDescriptor"`). -> - **`tool`:** `` Tool ID (e.g.: `"clamav"`). - -> **Severity:** -> -> - -For example, to adjust severity of symbol `Heuristics.Broken.Media.GIF.TruncatedScreenDescriptor`: +`>` Filter the report after the scan, by JavaScript function and must return type of `Severity`. By default, all of the symbols are high severity (i.e.: fail). + +To ignore only by the paths and/or sessions, use input [`ignores`](#ignores) is more efficiency. To ignore only by the Git commits, use input [`git_ignores`](#git_ignores) is more efficiency. To ignore only by the tools, use inputs `_enable` is more efficiency. + +**Available Contexts:** + +- **`gitCommit.authorDate`:** `` Git commit author date. Only exists when the session is on a Git commit. +- **`gitCommit.authorEmail`:** `` Git commit author e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.authorName`:** `` Git commit author name. Only exists when the session is on a Git commit. +- **`gitCommit.body`:** `` Git commit body. Only exists when the session is on a Git commit. +- **`gitCommit.commitHash`:** `` Git commit commit hash. Only exists when the session is on a Git commit. +- **`gitCommit.committerDate`:** `` Git commit committer date. Only exists when the session is on a Git commit. +- **`gitCommit.committerEmail`:** `` Git commit committer e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.committerName`:** `` Git commit committer name. Only exists when the session is on a Git commit. +- **`gitCommit.encoding`:** `` Git commit encoding. Only exists when the session is on a Git commit. +- **`gitCommit.notes`:** `` Git commit notes. Only exists when the session is on a Git commit. +- **`gitCommit.parentHashes`:** `` Git commit parent hashes. Only exists when the session is on a Git commit. +- **`gitCommit.reflogIdentityEmail`:** `` Git commit reflog identity e-mail. Only exists when the session is on a Git commit. +- **`gitCommit.reflogIdentityName`:** `` Git commit reflog identity name. Only exists when the session is on a Git commit. +- **`gitCommit.reflogSelector`:** `` Git commit reflog selector. Only exists when the session is on a Git commit. +- **`gitCommit.reflogSubject`:** `` Git commit reflog subject. Only exists when the session is on a Git commit. +- **`gitCommit.subject`:** `` Git commit subject. Only exists when the session is on a Git commit. +- **`gitCommit.treeHash`:** `` Git commit tree hash. Only exists when the session is on a Git commit. +- **`path`:** `` Relative path based on the current working directory without `./` (e.g.: `relative/path/to/file.extension`). +- **`session`:** `` `"Current"` or Git commit hash (equivalent with `gitCommit.commitHash`). +- **`symbol`:** `` Rule or signature (e.g.: `"Heuristics.Broken.Media.GIF.TruncatedScreenDescriptor"`). +- **`tool`:** `` Tool ID (e.g.: `"clamav"`). + +**Available Severity:** + +| **Value** | **Annotation** | **SARIF** | +|:-:|:-:|:-:| +| `"Critical"` | Error | 9 | +| `"High"` | Error | 7 | +| `"Medium"` | Warning | 4 | +| `"Low"` | Notice | 1 | +| `"FalsePositive"` | *N/A* | *N/A* | + +For example, to adjust severity of symbol `Heuristics.Broken.Media.GIF.TruncatedScreenDescriptor` to low: ```yml report_filter: |- @@ -254,19 +266,17 @@ report_filter: |- ``` > [!CAUTION] -> - It is not recommended to ignore any official symbol due to these rarely have false positives in most cases. +> - It is not recommended to mark any official symbol as false positive due to these rarely have false positives in most cases. > - JavaScript function is extremely powerful, which also able to execute malicious actions, user should always take extra review for this input value. -### `report_sarif_enable` - -`` Whether to (allow to) generate the [SARIF report][sarif-github]. When this is `false`, will ignore input [`report_sarif_upload`](#report_sarif_upload). +### `report_sarif` -> [!IMPORTANT] -> Due to the limitations, generate the [SARIF report][sarif-github] is only available when current working directory is a Git repository of the current repository, and input [`git_integrate`](#git_integrate) is `false`. +`` Whether to (allow to) generate and upload the [SARIF report][sarif-github] to the current repository. -### `report_sarif_upload` +Due to the limitations, this feature is only available when these conditions are all fulfilled: -`` Whether to (allow to) upload the [SARIF report][sarif-github] to the current repository. +- Input [`git_iterate`](#git_iterate) is `false`. +- Working directory is a Git repository of the current repository. ### `token` diff --git a/SECURITY.md b/SECURITY.md index b28c159..2e51028 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,10 +12,8 @@ | **Versions** | **Status** | **🔵 Date** | **🟢 Date** | **🔴 Date** | **Target - GitHub Actions Runner** | **Target - Docker** | |:-:|:-:|:-:|:-:|:-:|:-:|:-:| -| v0.30.X | 🟤 | *Unknown* | *N/A* | *N/A* | >= v2.311.0 | Latest Release | +| v0.30.X | 🟤 | *Unknown* | *N/A* | *Unknown* | >= v2.314.0 | Latest Release | | v0.20.X | 🔵 | 2023-10-21 | *N/A* | *Unknown* | >= v2.308.0 | Latest Release | -| v0.16.X | 🔴 | 2023-06-23 | *N/A* | 2023-10-26 | >= v2.303.0 | Latest Release | -| v0.15.X | 🔴 | 2023-06-10 | *N/A* | 2023-07-01 | >= v2.303.0 | Latest Release | > **ℹ️ Notice:** >