first commit

Author: shumvgolove

.github/workflows/scan.yml

@@ -0,0 +1,37 @@
+name: "Scan Release Artifacts and Update README"
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  virus-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repo
+      uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Install dependencies
+      run: |
+        pip install --upgrade pip
+        pip install requests PyGithub vt-py
+
+    - name: Scan & update README
+      env:
+        VT_API_KEY: ${{ secrets.VT_API_KEY }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        EXCLUDE_NAMES: 'LICENSE'
+        EXCLUDE_PREFIXES: '_'
+        PYTHONUNBUFFERED: '1'   # ensure immediate output flushing
+        REPOSITORY_TO_SCAN: 'simplex-chat/simplex-chat'
+      run: python scripts/scan_and_update.py

README.md

@@ -0,0 +1 @@
+# simplex-virutstotal-scan

scripts/scan_and_update.py

@@ -0,0 +1,174 @@
+import os
+import sys
+import requests
+import vt
+import hashlib
+from github import Github
+
+# Download release assets, compute SHA‑256, reuse existing VT report when present,
+# otherwise upload (wait_for_completion=True), then link VT GUI URL in README.
+
+
+def main():
+    # Common env variables
+    # --------------------
+
+    # VirusTotal API key. 500 requests per day, 15.5K requests per month.
+    vt_key = os.getenv("VT_API_KEY")
+
+    # Github token. Automatically set in Github Action.
+    gh_token = os.getenv("GITHUB_TOKEN")
+
+    # Repository to scan. Should be in format "simplex-chat/simplex-chat".
+    repo_name = os.getenv("REPOSITORY_TO_SCAN")
+
+    # Repository to commit changes.
+    update_repo_name = os.getenv("GITHUB_REPOSITORY")
+
+    # Exclude patterns and names. Can be comma seperated.
+    exclude_names = {n.strip() for n in os.getenv("EXCLUDE_NAMES", "").split(',') if n.strip()}
+    prefixes = [p for p in os.getenv("EXCLUDE_PREFIXES", "").split(',') if p]
+
+    # Check if variables exist early. If not - bail out.
+    if not vt_key or not gh_token or not repo_name or not update_repo_name:
+        print("ERROR: Missing VT_API_KEY, GITHUB_TOKEN, or REPOSITORY_TO_SCAN")
+        sys.exit(1)
+
+    # Clients setup
+    # -------------
+
+    vt_client = vt.Client(vt_key)
+    gh = Github(gh_token)
+    repo = gh.get_repo(update_repo_name)
+
+    # Fetch only latest release
+    release = requests.get(
+        f"https://api.github.com/repos/{repo_name}/releases/latest",
+        headers={"Authorization": f"token {gh_token}", "Accept": "application/vnd.github.v3+json"},
+        timeout=30,
+    ).json()
+
+    # Get release name
+    release_name = release.get("name") or release.get("tag_name") or "latest"
+
+    # Init tuple for final table.
+    # Format: markdown_linl, mal, sys, und
+    results = []
+
+    # Now, let's prcoess each release artifact
+    # For every artifact
+    for asset in release.get("assets", []):
+        # Get it's name
+        name = asset.get("name") or ""
+        # Safety check
+        if not name:
+            continue
+        # And exclude based on predefined patterns
+        if name in exclude_names or any(name.startswith(p) for p in prefixes):
+            print(f"Skipping excluded asset: {name}")
+            continue
+
+        # Now, get URL
+        url = asset.get("browser_download_url")
+        # Safety check
+        if not url:
+            continue
+
+        # Create "assets" directory
+        os.makedirs("assets", exist_ok=True)
+
+        print(f"Processing {name} …")
+
+        # Download and compute SHA-256
+        try:
+            with requests.get(url, stream=True, timeout=60) as resp:
+                resp.raise_for_status()
+                path = os.path.join("assets", name)
+                with open(path, "wb") as out_file:
+                    sha = hashlib.sha256()
+                    for chunk in resp.iter_content(8192):
+                        out_file.write(chunk)
+                        sha.update(chunk)
+            file_path = path
+            sha256 = sha.hexdigest()
+        except Exception as e:
+            print(f"Download error for {name}: {e}")
+            continue
+
+        # VirusTotal link in final README
+        vt_url = f"https://www.virustotal.com/gui/file/{sha256}"
+        markdown_link = f"[{name}]({vt_url})"
+
+        # Check VirusTotal cache
+        try:
+            file_obj = vt_client.get_object(f"/files/{sha256}")
+            # Cache hit, we can proceed
+            stats = file_obj.last_analysis_stats
+            print(f"VT cache hit for {name} (SHA‑256: {sha256}) → using existing report.")
+        # No cache hit, we should upload file to VirusTotal
+        except vt.error.APIError as e:
+            if getattr(e, "code", None) == "NotFoundError" or getattr(e, "status_code", 0) == 404:
+                print(f"Uploading {name} to VirusTotal …")
+                try:
+                    with open(file_path, "rb") as f:
+                        analysis = vt_client.scan_file(f, wait_for_completion=True)
+                except Exception as up_err:
+                    print(f"Upload failed for {name}: {up_err}")
+                    os.remove(file_path)
+                    continue
+                # After completion, pull file object via hash
+                try:
+                    file_obj = vt_client.get_object(f"/files/{sha256}")
+                    stats = file_obj.last_analysis_stats
+                except Exception as fetch_err:
+                    print(f"Failed to fetch stats for {name}: {fetch_err}")
+                    os.remove(file_path)
+                    continue
+            else:
+                print(f"Unexpected VT error for {name}: {e}")
+                os.remove(file_path)
+                continue
+        finally:
+            os.remove(file_path)
+
+        # Populate tuple with results
+        results.append((markdown_link,
+                        stats.get("malicious", 0),
+                        stats.get("suspicious", 0),
+                        stats.get("undetected", 0)))
+
+    # Don't forget to close the client
+    vt_client.close()
+
+    # Just a safety check
+    if not results:
+        print("No scan results to update.")
+        return
+
+    # Let's build README
+    lines = [
+        f"# VirusTotal Scan Results for Release: {release_name}",
+        "",
+        "| File | Malicious | Suspicious | Undetected |",
+        "| --- | --- | --- | --- |",
+    ]
+    # The actial data
+    for link, mal, sus, und in results:
+        lines.append(f"| {link} | {mal} | {sus} | {und} |")
+    content = '\n'.join(lines)
+
+    # And commit everything to our READM
+    try:
+        readme = repo.get_contents("README.md")
+        repo.update_file(
+            readme.path,
+            "chore: update README with VT scan results",
+            content,
+            readme.sha,
+        )
+        print("README.md successfully updated.")
+    except Exception as e:
+        print(f"Failed to update README.md: {e}")
+
+if __name__ == "__main__":
+    main()