Automatically scanning release binaries with over 70 antiviruses via VirusTotal in github action workflows

in #bitshares2 years ago (edited)

image.png

In a past blog post I wrote about our recent use of Github action workflows for automating the building and release of Bitshares Beet and Bitshares NFT tools.

Since the applications we're releasing via github are unsigned and new, antivirus applications will quarantine and scan the apps before use. This is expected behaviour, but we can address this initial response to our apps without signing the code but by submitting it to the majority of antivirus solutions via VirusTotal!

Now that we automatically scan the deliverables, your antivirus will gain new signatures via antivirus signature updates and will be less likely to freak out upon running our software.

I tried using ghaction-virustotal to scan the binaries, however I encountered max file size issues blocking its use.

So rather than use the above action I figured we could use virustotal's cli directly in the github action workflow; here's an example build step from the Bitshares NFT Viewer:

  generate:
    name: generate files
    needs: build
    runs-on: ubuntu-latest
    steps:
    - name: reqs
      run: sudo apt-get install unzip
    - name: Download VT
      run: wget https://github.com/VirusTotal/vt-cli/releases/download/0.10.2/Linux64.zip
    - name: Unzip VT
      run: unzip Linux64.zip
    - name: Prepare
      run: chmod +x vt
    - name: Download exe
      id: download
      uses: actions/download-artifact@v3
      with:
        name: nft_viewer.exe
        path: ~/
    - name: Download deb
      uses: actions/download-artifact@v3
      with:
        name: nft_viewer.deb
        path: ~/
    - name: Download dmg
      uses: actions/download-artifact@v3
      with:
        name: nft_viewer.dmg
        path: ~/
    - name: scan
      id: scan
      run: |
          echo "::set-output name=debVT::$(./vt scan file /home/runner/nft_viewer.deb -k ${{ secrets.VT_API_KEY }}|cut -d' ' -f2)"
          echo "::set-output name=exeVT::$(./vt scan file /home/runner/nft_viewer.exe -k ${{ secrets.VT_API_KEY }}|cut -d' ' -f2)"
          echo "::set-output name=dmgVT::$(./vt scan file /home/runner/nft_viewer.dmg -k ${{ secrets.VT_API_KEY }}|cut -d' ' -f2)"
    - name: Calculate hashes
      id: calc_hash
      run: |
          echo "::set-output name=debhash::$(sha256sum /home/runner/nft_viewer.deb|cut -c-64)"
          echo "::set-output name=exehash::$(sha256sum /home/runner/nft_viewer.exe|cut -c-64)"
          echo "::set-output name=dmghash::$(sha256sum /home/runner/nft_viewer.dmg|cut -c-64)"
    - name: Perform release
      uses: BTS-CM/action-gh-release@cd28b0f5ee8571b76cfdaa62a30d51d752317477
      with:
        files: |
            /home/runner/nft_viewer.exe
            /home/runner/nft_viewer.deb
            /home/runner/nft_viewer.dmg
        tag_name: ${{ needs.create_release.outputs.tag-name }}
        body: |
                Release Notes
                _________________________________
                Binaries for download
                --------
                | Platform | SHA256 Checksum | VirusTotal Analyses |
                |---|---|---|
                |[Microsoft Windows](https://github.com/BTS-CM/NFT_Viewer/releases/download/${{ github.ref_name }}/nft_viewer.exe)|`${{steps.calc_hash.outputs.exehash}}`|[exe](https://www.virustotal.com/gui/file-analysis/${{steps.scan.outputs.exeVT}})|
                |[Linux](https://github.com/BTS-CM/NFT_Viewer/releases/download/${{ github.ref_name }}/nft_viewer.deb)|`${{steps.calc_hash.outputs.debhash}}`|[deb](https://www.virustotal.com/gui/file-analysis/${{steps.scan.outputs.debVT}})|
                |[MacOS](https://github.com/BTS-CM/NFT_Viewer/releases/download/${{ github.ref_name }}/nft_viewer.dmg)|`${{steps.calc_hash.outputs.dmghash}}`|[dmg](https://www.virustotal.com/gui/file-analysis/${{steps.scan.outputs.dmgVT}})|
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

In the above, we download and ready the use of virustotal's cli tool, scan the files storing the output analysis id in a system variable for inclusion in the release markdown.

Output markdown (from nft_viewer releases)

PlatformSHA256 ChecksumVirusTotal Analyses
Microsoft Windows45963330df9406bc51b72154e0222fe15470d7fda045b38f48d6838e2f7d14b4exe
Linuxe1c2637a96ef68dc7deadb39a1690fc26a9143f8858d8d20ee4d6e7546edf45cdeb
MacOScc9c45381cf5f478f08a6108bfddeed62a2fee6cf69723d5c27ead02c9a092b4dmg

This virustotal solution will be introduced to the Bitshares NFT issuance tool and will be proposed for the Bitshares beet repo too.

Don't forget to check out the nftea gallery for Bitshares based NFTs!

#cybersecurity #netsec #blockchain #github #opensource #virustotal
2 years ago in #bitshares by
$0.74
  • Past Payouts $0.74
  • - Author $0.38
  • - Curators $0.36
56 votes
Reply 1
Sort:  
  • Trending
    • [-]
     2 years ago  

    Congratulations @nftea.gallery! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s):

    You received more than 500 HP as payout for your posts, comments and curation.
    Your next payout target is 1000 HP.
    The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD

    You can view your badges on your board and compare yourself to others in the Ranking
    If you no longer want to receive notifications, reply to this comment with the word STOP

    To support your work, I also upvoted your post!

    Check out the last post from @hivebuzz:

    HiveFest⁷ - Participate in the Balls of Steel tournament and get a new badge
    New badge - LEO Power Up Day - September 15, 2022
    HiveFest⁷ badges available at the HiveBuzz store
    Support the HiveBuzz project. Vote for our proposal!
    $0.00
      Reply