Exclusions Updater #55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Exclusions Updater | |
| on: | |
| schedule: | |
| #- cron: '0 5 * * 0' # Runs at 05:00 every Sunday | |
| - cron: '0 5 * * *' # Runs at 05:00 every day | |
| workflow_dispatch: | |
| jobs: | |
| update-exclusions: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.13' | |
| - name: Install Poetry | |
| uses: abatilo/actions-poetry@v4 | |
| with: | |
| poetry-version: 'latest' | |
| - name: Install dependencies | |
| run: | | |
| poetry install --no-interaction --with dev | |
| - name: Run false positive tests | |
| run: | | |
| $(poetry env activate) | |
| pytest -q --tb no -m validate_targets_fp -n 20 | tee fp_test_results.txt | |
| deactivate | |
| - name: Parse false positive detections by desired categories | |
| run: | | |
| grep -oP '(?<=test_false_pos\[)[^\]]+(?=\].*result was Claimed)' fp_test_results.txt \ | |
| | sort -u > false_positive_exclusions.txt | |
| grep -oP '(?<=test_false_pos\[)[^\]]+(?=\].*result was WAF)' fp_test_results.txt \ | |
| | sort -u > waf_hits.txt | |
| - name: Detect if exclusions list changed | |
| id: detect_changes | |
| run: | | |
| git fetch origin exclusions || true | |
| if git show origin/exclusions:false_positive_exclusions.txt >/dev/null 2>&1; then | |
| # If the exclusions branch and file exist, compare | |
| if git diff --quiet origin/exclusions -- false_positive_exclusions.txt; then | |
| echo "exclusions_changed=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "exclusions_changed=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| # If the exclusions branch or file do not exist, treat as changed | |
| echo "exclusions_changed=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Quantify and display results | |
| run: | | |
| FP_COUNT=$(wc -l < false_positive_exclusions.txt | xargs) | |
| WAF_COUNT=$(wc -l < waf_hits.txt | xargs) | |
| echo ">>> Found $FP_COUNT false positives and $WAF_COUNT WAF hits." | |
| echo ">>> False positive exclusions:" && cat false_positive_exclusions.txt | |
| echo ">>> WAF hits:" && cat waf_hits.txt | |
| - name: Commit and push exclusions list | |
| if: steps.detect_changes.outputs.exclusions_changed == 'true' | |
| run: | | |
| git config user.name "Paul Pfeister (automation)" | |
| git config user.email "[email protected]" | |
| mv false_positive_exclusions.txt false_positive_exclusions.txt.tmp | |
| git add -f false_positive_exclusions.txt.tmp # -f required to override .gitignore | |
| git stash push -m "stash false positive exclusion list" -- false_positive_exclusions.txt.tmp | |
| git fetch origin exclusions || true # Allows creation of branch if deleted | |
| git checkout -B exclusions origin/exclusions || (git checkout --orphan exclusions && git rm -rf .) | |
| git stash pop || true | |
| mv false_positive_exclusions.txt.tmp false_positive_exclusions.txt | |
| git rm -f false_positive_exclusions.txt.tmp || true | |
| git add false_positive_exclusions.txt | |
| git commit -m "auto: update exclusions list" || echo "No changes to commit" | |
| git push origin exclusions |