first commit

Author: shumvgolove

.github/workflows/scan.yml

@@ -0,0 +1,34 @@
+name: "Scan Release Artifacts and Update README"
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+jobs:
+  virus-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repo
+      uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Install dependencies
+      run: |
+        pip install --upgrade pip
+        pip install requests PyGithub vt-py
+
+    - name: Scan & update README
+      env:
+        VT_API_KEY: ${{ secrets.VT_API_KEY }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        EXCLUDE_NAMES: 'LICENSE'
+        EXCLUDE_PREFIXES: '_'
+        PYTHONUNBUFFERED: '1'   # ensure immediate output flushing
+        REPOSITORY_TO_SCAN: 'simplex-chat/simplex-chat'
+      run: python scripts/scan_and_update.py

README.md

@@ -0,0 +1 @@
+# simplex-virutstotal-scan

scripts/scan_and_update.py

@@ -0,0 +1,88 @@
+import os
+import sys
+import requests
+import vt
+import tempfile
+from pathlib import Path
+from github import Github
+
+# Download release assets, scan with VirusTotal, update README
+
+def main():
+    vt_key = os.getenv('VT_API_KEY')
+    gh_token = os.getenv('GITHUB_TOKEN')
+    repo_name = os.getenv('REPOSITORY_TO_SCAN')
+    exclude_names = set(n.strip() for n in os.getenv('EXCLUDE_NAMES', '').split(',') if n.strip())
+    prefixes = [p for p in os.getenv('EXCLUDE_PREFIXES', '').split(',') if p]
+
+    if not vt_key or not gh_token or not repo_name:
+        print('ERROR: VT_API_KEY, GITHUB_TOKEN, and REPOSITORY_TO_SCAN must be set')
+        sys.exit(1)
+
+    vt_client = vt.Client(vt_key)
+    gh = Github(gh_token)
+    repo = gh.get_repo(repo_name)
+
+    results = []
+    releases = requests.get(
+        f'https://api.github.com/repos/{repo_name}/releases',
+        headers={'Authorization': f'token {gh_token}', 'Accept': 'application/vnd.github.v3+json'}
+    ).json()
+
+    for release in releases:
+        for asset in release.get('assets', []):
+            name = asset.get('name')
+            if not name or name in exclude_names or any(name.startswith(pref) for pref in prefixes):
+                print(f"Skipping {name}")
+                continue
+
+            url = asset.get('browser_download_url')
+            if not url:
+                continue
+
+            print(f"Downloading and scanning {name}...")
+            try:
+                with tempfile.NamedTemporaryFile(delete=False) as tmp_file:
+                    download = requests.get(url, stream=True)
+                    for chunk in download.iter_content(chunk_size=8192):
+                        tmp_file.write(chunk)
+                    tmp_file_path = tmp_file.name
+
+                with open(tmp_file_path, 'rb') as f:
+                    analysis = vt_client.scan_file(f, wait_for_completion=True)
+                    stats = analysis.data.attributes.stats
+                    results.append((name,
+                                    stats.get('malicious', 0),
+                                    stats.get('suspicious', 0),
+                                    stats.get('undetected', 0)))
+                os.remove(tmp_file_path)
+            except Exception as e:
+                print(f"Failed to scan {name}: {e}")
+
+    vt_client.close()
+
+    if not results:
+        print("No scan results to update.")
+        return
+
+    lines = [
+        '# VirusTotal Scan Results',
+        '',
+        '| Filename | Malicious | Suspicious | Undetected |',
+        '| --- | --- | --- | --- |'
+    ]
+    for name, mal, sus, und in results:
+        lines.append(f"| {name} | {mal} | {sus} | {und} |")
+    content = '\n'.join(lines)
+
+    contents = repo.get_contents('README.md')
+    repo.update_file(
+        contents.path,
+        'chore: update README with VT scan results',
+        content,
+        contents.sha
+    )
+    print("README.md updated.")
+
+if __name__ == '__main__':
+    main()