almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

ci: Add security scanning

Browse source 
Add two GitHub Actions workflows, that perform the following checks:

* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the current/main branch.
* Build and security scan the Dangerzone container image for the
  current/main branch.
* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the latest release of Dangerzone (currently
  v0.4.1).
* Download and security scan the Dangerzone container image for the
  latest release of Dangerzone (currently v0.4.1).

The first two checks will run on branch pushes, PRs, and nightly. The
last two checks will run only nightly, since the code in the current
branch cannot affect already released artifacts.

Also, besides the security scans, these workflows will also update the
Security alerts in the GitHub page for the Dangerzone project, and print
the SARIF report to the stdout, for debugging purposes.

Closes #222
This commit is contained in:
Alex Pyrgiotis 2023-05-03 15:34:16 +03:00
parent 1a82962224
commit 75be9b5c00
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
3 changed files with 152 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
.github/workflows/scan.yml vendored Normal file
View file

@ -0,0 +1,70 @@
name: Scan latest app and container
on:
push:
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
jobs:
security-scan-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build container image
run: docker build container --tag dangerzone.rocks/dangerzone:latest
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
uses: anchore/scan-action@v3
id: scan_container
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload container scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_container.outputs.sarif }}
category: container
- name: Inspect container scan report
run: cat ${{ steps.scan_container.outputs.sarif }}
- name: Scan container image
uses: anchore/scan-action@v3
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: true
only-fixed: true
severity-cutoff: critical
security-scan-app:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan application (no fail)
uses: anchore/scan-action@v3
id: scan_app
with:
path: "."
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload application scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_app.outputs.sarif }}
category: app
- name: Inspect application scan report
run: cat ${{ steps.scan_app.outputs.sarif }}
- name: Scan application
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
only-fixed: true
severity-cutoff: critical

77
.github/workflows/scan_released.yml vendored Normal file
View file

@ -0,0 +1,77 @@
name: Scan released app and container
on:
schedule:
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
jobs:
security-scan-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Download container image for the latest release
run: |
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
- name: Load container image
run: docker load -i container.tar.gz
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
uses: anchore/scan-action@v3
id: scan_container
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload container scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_container.outputs.sarif }}
category: container
- name: Inspect container scan report
run: cat ${{ steps.scan_container.outputs.sarif }}
- name: Scan container image
uses: anchore/scan-action@v3
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: true
only-fixed: true
severity-cutoff: critical
security-scan-app:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Checkout the latest released tag
run: |
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
git checkout $VERSION
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan application (no fail)
uses: anchore/scan-action@v3
id: scan_app
with:
path: "."
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload application scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_app.outputs.sarif }}
category: app
- name: Inspect application scan report
run: cat ${{ steps.scan_app.outputs.sarif }}
- name: Scan application
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
only-fixed: true
severity-cutoff: critical

5
CHANGELOG.md
View file

@ -7,6 +7,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
## [Unreleased] ## [Unreleased]
### Security
- Continuously scan our Python dependencies and container image for
vulnerabilities ([issue #222](https://github.com/freedomofpress/dangerzone/issues/222))
## Dangerzone 0.4.1 ## Dangerzone 0.4.1
### Added ### Added