From 75be9b5c00d4a9e7e7e2c6a55859f54d68bac0a8 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Wed, 3 May 2023 15:34:16 +0300
Subject: [PATCH] ci: Add security scanning

Add two GitHub Actions workflows, that perform the following checks:

* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the current/main branch.
* Build and security scan the Dangerzone container image for the
  current/main branch.
* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the latest release of Dangerzone (currently
  v0.4.1).
* Download and security scan the Dangerzone container image for the
  latest release of Dangerzone (currently v0.4.1).

The first two checks will run on branch pushes, PRs, and nightly. The
last two checks will run only nightly, since the code in the current
branch cannot affect already released artifacts.

Also, besides the security scans, these workflows will also update the
Security alerts in the GitHub page for the Dangerzone project, and print
the SARIF report to the stdout, for debugging purposes.

Closes #222
---
 .github/workflows/scan.yml          | 70 ++++++++++++++++++++++++++
 .github/workflows/scan_released.yml | 77 +++++++++++++++++++++++++++++
 CHANGELOG.md                        |  5 ++
 3 files changed, 152 insertions(+)
 create mode 100644 .github/workflows/scan.yml
 create mode 100644 .github/workflows/scan_released.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000..9922921
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,70 @@
+name: Scan latest app and container
+on:
+  push:
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build container image
+        run: docker build container --tag dangerzone.rocks/dangerzone:latest
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan container image (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_container
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_container.outputs.sarif }}
+          category: container
+      - name: Inspect container scan report
+        run: cat ${{ steps.scan_container.outputs.sarif }}
+      - name: Scan container image
+        uses: anchore/scan-action@v3
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan application (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_app
+        with:
+          path: "."
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_app.outputs.sarif }}
+          category: app
+      - name: Inspect application scan report
+        run: cat ${{ steps.scan_app.outputs.sarif }}
+      - name: Scan application
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml
new file mode 100644
index 0000000..052d744
--- /dev/null
+++ b/.github/workflows/scan_released.yml
@@ -0,0 +1,77 @@
+name: Scan released app and container
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Download container image for the latest release
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+      - name: Load container image
+        run: docker load -i container.tar.gz
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan container image (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_container
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_container.outputs.sarif }}
+          category: container
+      - name: Inspect container scan report
+        run: cat ${{ steps.scan_container.outputs.sarif }}
+      - name: Scan container image
+        uses: anchore/scan-action@v3
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Checkout the latest released tag
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          git checkout $VERSION
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan application (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_app
+        with:
+          path: "."
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_app.outputs.sarif }}
+          category: app
+      - name: Inspect application scan report
+        run: cat ${{ steps.scan_app.outputs.sarif }}
+      - name: Scan application
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e38600..73abee5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased]
 
+### Security
+
+- Continuously scan our Python dependencies and container image for
+  vulnerabilities ([issue #222](https://github.com/freedomofpress/dangerzone/issues/222))
+
 ## Dangerzone 0.4.1
 
 ### Added