add RL_PACK_SAFE option

rl-maartenb · rl-maartenb · commit a3f191a8f0e8 · 2025-06-03T14:56:09.000+02:00
diff --git a/README.md b/README.md
@@ -99,6 +99,7 @@ The Base64-encoded license string and the site key must be provided to the pipel
 | `RL_STORE`                | No | If using a package store, use this parameter to provide the path to a directory where the self-hosted package store has been initialized. |
 | `RL_PACKAGE_URL`          | No | If using a package store, use this parameter to specify the package URL (PURL) for the scanned artifact. The package URL should be in the format `project/package@version`; for example `testing/demo-rl-scanner@v1.0.3`. |
 | `RL_DIFF_WITH`            | No | If using a package store, use this parameter to specify a previously scanned package version to compare (diff) against. |
+| `RL_PACK_SAFE`            | No | Use this parameter to generate a SAFE archive (report.rl-safe) for the scan. |
 | `RL_VERBOSE`              | No | Set to anything but '' to provide more feedback in the output while running the scan. Disabled by default. |
 
 
diff --git a/rl-scanner-gitlab-include.yml b/rl-scanner-gitlab-include.yml
@@ -27,6 +27,7 @@
 # RL_STORE
 # RL_PACKAGE_URL
 # RL_DIFF_WITH
+# RL_PACK_SAFE
 
 # If the local runner needs to access the internet via a proxy we support that using:
 # RLSECURE_PROXY_SERVER
@@ -39,7 +40,7 @@
 job-reversinglabs-rl-scanner:
   # This job will run in the test stage of the pipeline
   stage: test
-      
+
   # We will run the reversinglabs/rl-scanner:latest Docker image,
   # but will use our own entry point to make it compatible with GitLab runner.
   image:
@@ -93,6 +94,7 @@ job-reversinglabs-rl-scanner:
       # - RL_STORE: optional, string, default ''.
       # - RL_PACKAGE_URL: optional, string, default ''.
       # - RL_DIFF_WITH: optional, string, default ''.
+      # - RL_PACK_SAFE: optional, string, default ''.
       #
       # E) Additional verbosity can be configured with:
       # - RL_VERBOSE: optional, default '' (anything else will be treated as true)
@@ -107,6 +109,7 @@ job-reversinglabs-rl-scanner:
       RL_STORE:                 ${RL_STORE:-No path specified for RL_STORE: no diff scan can be executed}
       RL_PACKAGE_URL:           ${RL_PACKAGE_URL:-No package URL given: no diff scan can be executed}
       RL_DIFF_WITH:             ${RL_DIFF_WITH:-No diff with was requested}
+      RL_PACK_SAFE:             ${RL_PACK_SAFE:-No RL-SAFE archive was requested}
       RLSECURE_PROXY_SERVER:    ${RLSECURE_PROXY_SERVER:-No proxy server was provided}
       RLSECURE_PROXY_PORT:      ${RLSECURE_PROXY_PORT:-No proxy port was provided}
       RLSECURE_PROXY_USER:      ${RLSECURE_PROXY_USER:-No proxy user was provided}
@@ -206,25 +209,37 @@ job-reversinglabs-rl-scanner:
       run_scan_nostore()
       {
           RL_LEVEL_STR=""
+          RL_PACK_SAFE_STR=""
           if [ ! -z "${RL_LEVEL}" ]
           then
               RL_LEVEL_STR="--rl-level=$RL_LEVEL"
           fi
+          if [ ! -z "${RL_PACK_SAFE}" ]
+          then
+              RL_PACK_SAFE_STR="--pack-safe"
+          fi
           rl-scan \
               $RL_LEVEL_STR --package-path="./${PACKAGE_PATH}/${MY_ARTIFACT_TO_SCAN}" \
               --report-path="${REPORT_PATH}" \
-              --report-format=all 1>1 2>2
+              --report-format=all \
+              ${RL_PACK_SAFE_STR} 1>1 2>2
           RR=$?
       }
       run_scan_withstore()
       {
+          RL_PACK_SAFE_STR=""
+          if [ ! -z "${RL_PACK_SAFE}" ]
+          then
+              RL_PACK_SAFE_STR="--pack-safe"
+          fi
           rl-scan \
               --rl-store="${RL_STORE}" \
               --purl="${RL_PACKAGE_URL}" \
               --replace \
               --package-path="./${PACKAGE_PATH}/${MY_ARTIFACT_TO_SCAN}" \
               --report-path="${REPORT_PATH}" \
               --report-format=all \
+              ${RL_PACK_SAFE_STR} \
               ${DIFF_WITH} 1>1 2>2
           RR=$?
       }
