Skip to content

Update malcontent to v1.25.3 (#1610) #1875

Update malcontent to v1.25.3 (#1610)

Update malcontent to v1.25.3 (#1610) #1875

Workflow file for this run

# Copyright 2025 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: "CodeQL Advanced"
on:
pull_request:
push:
branches: ["main"]
schedule:
- cron: "35 23 * * 0"
env:
CGO_ENABLED: "1"
CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
YARA_X_RELEASE: "1.19.0"
permissions: {}
jobs:
analyze:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest-16-core
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
index.crates.io:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
static.crates.io:443
static.rust-lang.org:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Cache yara-x-capi installation
id: yara-x-capi
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: yara-x-install
key: yara-x-capi-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
- name: Checkout virusTotal/yara-x
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
fetch-depth: 0
fetch-tags: true
repository: virusTotal/yara-x
path: yara-x
ref: refs/tags/v${{ env.YARA_X_RELEASE }}
- name: Install Rust for yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: stable
- name: Cache Rust dependencies
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
~/.cargo/registry/
~/.cargo/git/
key: rust-cargo-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
restore-keys: rust-cargo-
- name: Build yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
env:
WORKSPACE: ${{ github.workspace }}
run: |
command -v cargo-cinstall || cargo install cargo-c --locked
cd "${WORKSPACE}/yara-x"
RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
--profile release-lto \
--pkgconfigdir="${WORKSPACE}/yara-x-install" \
--includedir="${WORKSPACE}/yara-x-install" \
--libdir="${WORKSPACE}/yara-x-install" \
--crt-static --library-type="staticlib"
rm -rf "${WORKSPACE}/yara-x"
- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version-file: "go.mod"
check-latest: true
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
languages: go
build-mode: manual
- run: |
go build -o /dev/null ./...
go test -o /dev/null -c ./...
env:
PKG_CONFIG_PATH: ${{ github.workspace }}/yara-x-install
LD_LIBRARY_PATH: ${{ github.workspace }}/yara-x-install
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
category: "/language:go"
analyze-actions:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
languages: actions
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
category: "/language:actions"