#!/bin/bash # trigger-scans.sh — Package example malicious files and trigger GuardDog Nexus scans # # Usage (Docker): # ./examples/trigger-scans.sh # # This script builds 3 example packages with known GuardDog-detected patterns # (exec-base64, shady-links, code-execution, npm-api-obfuscation, go-exec-base64), # copies them into the Docker container, and sends webhooks to trigger scans. set -e SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" WEBHOOK_URL="${WEBHOOK_URL:-http://localhost:8080/webhooks/nexus}" CONTAINER="${CONTAINER:-guarddog-nexus-guarddog-nexus-1}" WORKDIR="$(mktemp -d)" echo "Working in: $WORKDIR" trap "rm -rf $WORKDIR" EXIT # --- PyPI --- echo "=== Building evil-pypi-0.1.0.tar.gz ===" tar -czf "$WORKDIR/evil-pypi-0.1.0.tar.gz" -C "$SCRIPT_DIR/evil-pypi" setup.py src/ docker cp "$WORKDIR/evil-pypi-0.1.0.tar.gz" "$CONTAINER:/tmp/" # --- npm --- echo "=== Building evil-npm-1.0.0.tgz ===" tar -czf "$WORKDIR/evil-npm-1.0.0.tgz" -C "$SCRIPT_DIR/evil-npm" index.js docker cp "$WORKDIR/evil-npm-1.0.0.tgz" "$CONTAINER:/tmp/" # --- Go --- echo "=== Building evil-go-v0.1.0.zip ===" python3 -c " import zipfile,os z=zipfile.ZipFile('$WORKDIR/evil-go-v0.1.0.zip','w') for f in os.listdir('$SCRIPT_DIR/evil-go'): z.write(os.path.join('$SCRIPT_DIR/evil-go',f),f) z.close() " docker cp "$WORKDIR/evil-go-v0.1.0.zip" "$CONTAINER:/tmp/" # --- Start HTTP server inside container --- echo "=== Starting HTTP server ===" docker compose exec -d guarddog-nexus python3 -m http.server 9999 -d /tmp 2>/dev/null sleep 2 # --- Trigger webhooks --- echo "" echo "=== Triggering webhooks ===" curl -s -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d \ '{"action":"UPDATED","repositoryName":"pypi-proxy","asset":{"format":"pypi","name":"/packages/evil-pypi/0.1.0/evil-pypi-0.1.0.tar.gz","downloadUrl":"http://127.0.0.1:9999/evil-pypi-0.1.0.tar.gz"}}' echo " → pypi: evil-pypi 0.1.0" sleep 1 curl -s -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d \ '{"action":"UPDATED","repositoryName":"npm-proxy","asset":{"format":"npm","name":"/packages/evil-npm/-/evil-npm-1.0.0.tgz","downloadUrl":"http://127.0.0.1:9999/evil-npm-1.0.0.tgz"}}' echo " → npm: evil-npm 1.0.0" sleep 1 curl -s -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d \ '{"action":"UPDATED","repositoryName":"go-proxy","asset":{"format":"go","name":"/packages/github.com/evil/evil-go/@v/v0.1.0.zip","downloadUrl":"http://127.0.0.1:9999/evil-go-v0.1.0.zip"}}' echo " → go: evil-go v0.1.0" echo "" echo "=== Waiting for scans (15s)... ===" sleep 15 echo "" echo "=== Results ===" curl -s "http://localhost:8080/api/v1/scans?limit=3&sort_by=id&sort_dir=desc" | python3 -c " import json,sys data = json.load(sys.stdin) for s in data['scans']: f = '⚠' if s['flagged'] else '✓' print(f'{f} #{s[\"id\"]:>4} {s[\"ecosystem\"]:>4} {s[\"package_name\"]:30} {s[\"package_version\"]:>10} {s[\"status\"]:12} findings={s[\"total_findings\"]}') " 2>&1