Palo Alto WildFire URL Verdict to GitHub Issue

arazzo: 1.0.1
info:
  title: Palo Alto WildFire URL Verdict to GitHub Issue
  summary: Submit a suspicious URL to WildFire, fetch its verdict, and open a GitHub issue.
  description: >-
    A malware analysis workflow that submits a suspicious URL to Palo Alto Networks WildFire,
    retrieves the analysis verdict for the resulting sample, and opens a GitHub issue when the
    content is judged malicious so engineering can remediate. Demonstrates orchestrating a
    malware analysis sandbox with a code host in a single Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: wildfireApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-wildfire-api-openapi-original.yml
    type: openapi
  - name: githubRepoIssuesApi
    url: https://raw.githubusercontent.com/api-evangelist/github/refs/heads/main/openapi/github-repo-issues-api-openapi.yml
    type: openapi
workflows:
  - workflowId: wildfire-verdict-to-issue
    summary: Submit a URL to WildFire, get the verdict, and open a GitHub issue.
    description: >-
      Submits a suspicious URL to WildFire, retrieves the verdict for the resulting sample
      hash, and creates a GitHub issue to track remediation.
    inputs:
      type: object
      properties:
        apikey:
          type: string
        suspiciousUrl:
          type: string
        sampleHash:
          type: string
        owner:
          type: string
        repo:
          type: string
    steps:
      - stepId: submit-url
        description: Submit a suspicious URL to WildFire for analysis.
        operationId: $sourceDescriptions.wildfireApi.submitUrl
        requestBody:
          contentType: application/x-www-form-urlencoded
          payload:
            apikey: $inputs.apikey
            url: $inputs.suspiciousUrl
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          submitStatus: $statusCode
      - stepId: get-verdict
        description: Retrieve the WildFire verdict for the submitted sample hash.
        operationId: $sourceDescriptions.wildfireApi.getVerdict
        requestBody:
          contentType: application/x-www-form-urlencoded
          payload:
            apikey: $inputs.apikey
            hash: $inputs.sampleHash
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          verdict: $response.body#/wildfire/get-verdict-info/verdict
      - stepId: open-issue
        description: Open a GitHub issue to track the malicious verdict.
        operationId: $sourceDescriptions.githubRepoIssuesApi.createAnIssue
        parameters:
          - name: owner
            in: path
            value: $inputs.owner
          - name: repo
            in: path
            value: $inputs.repo
        requestBody:
          contentType: application/json
          payload:
            title: WildFire flagged malicious content
            body: A URL submitted to WildFire returned a verdict that requires remediation.
            labels:
              - security
              - malware
        successCriteria:
          - condition: $statusCode == 201
        outputs:
          issueNumber: $response.body#/number
          issueUrl: $response.body#/html_url
    outputs:
      verdict: $steps.get-verdict.outputs.verdict
      issueUrl: $steps.open-issue.outputs.issueUrl