scan_malware.yml

name: Xygeni Scan with malicious package
on:
  workflow_dispatch:  # Allows manual triggering
  # no push triggers
  # no pull request triggers
  # no schedule triggers

jobs:
  xygeni-scan:
    name: Xygeni Scan
    runs-on: ubuntu-latest
    steps:
      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          java-version: '21'
          distribution: 'temurin'

      - uses: actions/checkout@v3
        with:
          fetch-depth: 0  # Shallow clones should be disabled for better relevancy of analysis
      
      - name: Copying malicious files  
        #if: ${{ github.event.inputs.dep-malware == 'true' }}
        run: |
          echo "Substituting package.json with package.json.unsafe !!!"
          cp package.json.unsafe package.json

      - name: Xygeni-Scanner
        uses: xygeni/xygeni-action@v3.2.0
        id: Xygeni-Scanner
        with:
          xygeni_url: https://api.xygeni.io
          token: ${{ secrets.XY_TOKEN_PRO_TRIAL3 }}
          gh_token: ${{ secrets.GH_PAT }}
          command: scan --run="deps,suspectdeps,misconf" -n ${{ github.event.repository.name }}-${{ github.ref_name }}