mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 09:52:37 +02:00
51f432be6b
Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.
91 lines
2.7 KiB
YAML
91 lines
2.7 KiB
YAML
name: Scan latest app and container
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security-scan-container:
|
|
strategy:
|
|
matrix:
|
|
runs-on:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
runs-on: ${{ matrix.runs-on }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Build container image
|
|
run: |
|
|
python3 ./install/common/build-image.py \
|
|
--debian-archive-date $(date "+%Y%m%d") \
|
|
--runtime docker
|
|
docker load -i share/container.tar
|
|
- name: Get image tag
|
|
id: tag
|
|
run: echo "tag=$(cat share/image-id.txt)" >> $GITHUB_OUTPUT
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan container image (no fail)
|
|
uses: anchore/scan-action@v6
|
|
id: scan_container
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload container scan report
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.scan_container.outputs.sarif }}
|
|
category: container
|
|
- name: Inspect container scan report
|
|
run: cat ${{ steps.scan_container.outputs.sarif }}
|
|
- name: Scan container image
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
|
|
security-scan-app:
|
|
strategy:
|
|
matrix:
|
|
runs-on:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
runs-on: ${{ matrix.runs-on }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan application (no fail)
|
|
uses: anchore/scan-action@v6
|
|
id: scan_app
|
|
with:
|
|
path: "."
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload application scan report
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.scan_app.outputs.sarif }}
|
|
category: app
|
|
- name: Inspect application scan report
|
|
run: cat ${{ steps.scan_app.outputs.sarif }}
|
|
- name: Scan application
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
path: "."
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|