Initial release

.github/workflows/build-image.yml

@@ -0,0 +1,47 @@
+---
+name: Build and publish image to Github Packages
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+jobs:
+  publish-wp-scanner-action-image:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Login to Github Packages
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{raw}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{version}}
+            type=sha
+            type=raw,enable=true,value=latest
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: image
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}

.github/workflows/release-tag-major-version.yml

@@ -0,0 +1,39 @@
+---
+name: Tag major version on release
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  tag-release:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Tag release with vX tag
+        shell: bash
+        run: |
+          RELEASE_NAME="${GITHUB_REF#refs/tags/}"
+          echo "Release name: ${RELEASE_NAME}"
+          if [[ "${RELEASE_NAME}" =~ ^(v[0-9]+)[.] ]]; then
+            RELEASE_TAG_SHORT="${BASH_REMATCH[1]}"
+            echo "Release tag short: ${RELEASE_TAG_SHORT}"
+            # Git config
+            git config --local user.name 10upbot
+            git config --local user.email [email protected]
+            # Create tag locally
+            git tag -f -a "${RELEASE_TAG_SHORT}" -m "Automated GitHub Actions release: ${RELEASE_TAG_SHORT}"
+            # Delete remote tag
+            git push origin :refs/tags/"${RELEASE_TAG_SHORT}"
+            # Push tag to remote
+            git push origin "${RELEASE_TAG_SHORT}"
+          else
+            echo "Release name does not match vX pattern: ${RELEASE_NAME}"
+            echo "Nothing to do!"
+          fi

.github/workflows/tests.yml

@@ -0,0 +1,22 @@
+---
+name: Shellcheck test
+
+on:
+  push:
+    branches:
+      - '**'
+      - '!trunk'
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+
+      - name: shellcheck
+        uses: ludeeus/action-shellcheck@master

.gitignore

@@ -0,0 +1,5 @@
+# Ignore temporary OS files
+.DS_Store
+.DS_Store?
+.Spotlight-V100
+.Trashes

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).
+
+## [v1.0.0] - 2024-07-19
+
+### Added
+
+- Initial action release

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [email protected]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1,23 @@
+# Contributing and Maintaining
+
+First, thank you for taking the time to contribute!
+
+The following is a set of guidelines for contributors as well as information and instructions around our maintenance process. The two are closely tied together in terms of how we all work together and set expectations, so while you may not need to know everything in here to submit an issue or pull request, it's best to keep them in the same document.
+
+## Ways to contribute
+
+Contributing isn't just writing code - it's anything that improves the project. All contributions are managed right here on GitHub.  Here are some ways you can help:
+
+### Reporting bugs
+
+If you're running into an issue, please take a look through [existing issues](https://github.com/10up/wp-scanner-action/issues) and [open a new one](https://github.com/10up/wp-scanner-action/issues/new) if needed. If you're able, include steps to reproduce, environment information, and screenshots/screencasts as relevant.
+
+### Suggesting enhancements
+
+New features and enhancements are also managed via [issues](https://github.com/10up/wp-scanner-action/issues).
+
+### Pull requests
+
+Pull requests represent a proposed solution to a specified problem. They should always reference an issue that describes the problem and contains discussion about the problem itself. Discussion on pull requests should be limited to the pull request itself, i.e. code review.
+
+For more on how 10up writes and manages code, check out our [10up Engineering Best Practices](https://10up.github.io/Engineering-Best-Practices/).

CREDITS.md

@@ -0,0 +1,9 @@
+# Credits
+
+The following acknowledges the Maintainers for this repository, those who have Contributed to this repository (via bug reports, code, design, ideas, project management, translation, testing, etc.).
+
+## Maintainers
+
+The following individuals are responsible for curating the list of issues, responding to pull requests, and ensuring regular releases happen.
+
+[Douglas Barahona(@douz)](https://github.com/douz)

README.md

@@ -0,0 +1,112 @@
+# WordPress Scanner Action
+
+> Performs syntax checks, virus scanning and plugins and themes vulnerability checks for WordPress sites
+
+[![Support Level](https://img.shields.io/badge/support-active-green.svg)](#support-level) [![Release Version](https://img.shields.io/github/release/10up/wp-scanner-action.svg)](https://github.com/10up/wp-scanner-action/releases/latest) [![GPLv3 License](https://img.shields.io/badge/License-GPL%20v3-yellow.svg)](https://github.com/10up/wp-scanner-action/blob/trunk/LICENSE) [![Automated Tests](https://github.com/10up/wp-scanner-action/actions/workflows/test.yml/badge.svg)](https://github.com/10up/wp-scanner-action/actions/workflows/test.yml)
+
+This Github Action performs standard scanning for WordPress sites which includes PHP syntax checks, virus scanning and plugins and themes vulnerabilities scanning.
+
+# API Access
+
+This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/10up/wpcli-vulnerability-scanner) to perform the known vulnerabilities scanning of WordPress plugins and themes. WP-CLI Vulnerability Scanner works with [WPScan](https://wpscan.com), [Patchstack](https://patchstack.com/) and [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) to check reported vulnerabilities; you can choose any one of these three to use.
+***Note**: Authentication is optional for the Wordfence Intelligence Vulnerability API.*
+
+# Inputs
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `vuln_api_provider` | True | - | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` |
+| `vuln_api_token` | False | - | The API token to authenticate against the vulnerability API provider. This input is optional if `vuln_api_provider` is set to `wordfence` |
+| `disable_vuln_scan` | False | `false` | Disable the WordPress plugins and themes vulnerability scanner |
+| `virus_scan_update` | False | `true` | Update the ClamAV definitions database before executing the virus scanner (recommended) |
+| `disable_virus_scan` | False | `false` | Disable the ClamAV virus scanner |
+| `phpsyntax_enable_debug` | False | `false` | The PHP syntax checks could generate a large output depending on the amount of PHP files in the repository, for this reason the output is suppresed by default. Set this input to `true` if you want to visualize the full output. Useful for troubleshooting in case the PHP syntax checks fails |
+| `disable_phpsyntax_check` | False | `false` | Disable the PHP syntax checks |
+| `content_dir` | False | `$GITHUB_WORKSPACE` | Location of the `wp-content` directory inside the repository. Set this input to `./` if you have a `wp-content` based repository |
+| `wp_core_version` | False | `latest` | WordPress core version to use for the plugins and themes vulnerability scanner. Must match the version of your WordPress site for better results |
+| `composer_build` | False | `false` | Install the Composer dependencies in your `composer.json` file before executing the WordPress plugins and themes vulnerability scanner. The `composer.json` file must exists in the repository's root directory. Set this input to `true` if you install plugins and themes via Composer in CI. ***Note: This won't affect your final deploy artifact*** |
+| `no_fail` | False | `false` | Exits the scanner without failing even if any issues are found |
+
+
+# Examples
+
+## Install Composer dependencies before scanning
+
+This example assumes that you have a `wp-content` based repository and uses [Patchstack](https://patchstack.com/) as the API provider.
+
+```yaml
+name: "PHP Syntax Check, virus scanning, and WP Plugins & Themes vulnerability scanning"
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  wp-scanner:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: WordPress Scanner
+        uses: 10up/wp-scanner-action@v1
+        with:
+          vuln_api_provider: 'patchstack'
+          vuln_api_token: ${{ secrets.PATCHSTACK_TOKEN }}
+          content_dir: './'
+          wp_core_version: '6.5.5'
+          composer_build: 'true'
+```
+
+## Plugins and Themes under version control
+
+This example assumes that you have all plugins and themes under version control inside a directory named `wp-content` in the repository.
+
+```yaml
+name: "PHP Syntax Check, virus scanning, and WP Plugins & Themes vulnerability scanning"
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  wp-scanner:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+      
+      - name: WordPress Scanner
+        uses: 10up/wp-scanner-action@v1
+        with:
+          vuln_api_provider: 'patchstack'
+          vuln_api_token: ${{ secrets.PATCHSTACK_TOKEN }}
+          content_dir: './wp-content'
+          wp_core_version: '6.5.5'
+```
+
+# Support Level
+
+**Active:** 10up is actively working on this, and we expect to continue work for the foreseeable. Bug reports, feature requests, questions, and pull requests are welcome.
+
+# Changelog
+
+A complete listing of all notable changes to this Github Action are documented in [CHANGELOG.md](https://github.com/10up/wp-scanner-action/blob/trunk/CHANGELOG.md).
+
+# Contributing
+
+Please read [CODE_OF_CONDUCT.md](https://github.com/10up/wp-scanner-action/blob/trunk/CODE_OF_CONDUCT.md) for details on our code of conduct, [CONTRIBUTING.md](https://github.com/10up/wp-scanner-action/blob/trunk/CONTRIBUTING.md) for details on the process for submitting pull requests to us, and [CREDITS.md](https://github.com/10up/wp-scanner-action/blob/trunk/CREDITS.md) for a listing of maintainers and contributors.
+
+# Like what you see?
+
+<p align="center">
+<a href="http://10up.com/contact/"><img src="https://10up.com/uploads/2016/10/10up-Github-Banner.png" width="850"></a>
+</p>