mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
814d533c3b
The files in `container/` no longer make sense to have that name since
the "document to pixels" part will run in Qubes OS in its own virtual
machine.
To adapt to this, this PR does the following:
- Moves all the files in `container` to `dangerzone/conversion`
- Splits the old `container/dangerzone.py` into its two components
`dangerzone/conversion/{doc_to_pixels,pixels_to_pdf}.py` with a
`common.py` file for shared functions
- Moves the Dockerfile to the project root and adapts it to the new
container code location
- Updates the CircleCI config to properly cache Docker images.
- Updates our install scripts to properly build Docker images.
- Adds the new conversion module to the container image, so that it can
be imported as a package.
- Adapts the container isolation provider to use the new way of calling
the code.
NOTE: We have made zero changes to the conversion code in this commit,
except for necessary imports in order to factor out some common parts.
Any changes necessary for Qubes integration follow in the subsequent
commits.
70 lines
2.2 KiB
YAML
70 lines
2.2 KiB
YAML
name: Scan latest app and container
|
|
on:
|
|
push:
|
|
pull_request:
|
|
branches: [ main ]
|
|
schedule:
|
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
|
|
|
jobs:
|
|
security-scan-container:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
- name: Build container image
|
|
run: docker build dangerzone/ -f Dockerfile --tag dangerzone.rocks/dangerzone:latest
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan container image (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_container
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: false
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
- name: Upload container scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_container.outputs.sarif }}
|
|
category: container
|
|
- name: Inspect container scan report
|
|
run: cat ${{ steps.scan_container.outputs.sarif }}
|
|
- name: Scan container image
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: true
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
|
|
security-scan-app:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan application (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_app
|
|
with:
|
|
path: "."
|
|
fail-build: false
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
- name: Upload application scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_app.outputs.sarif }}
|
|
category: app
|
|
- name: Inspect application scan report
|
|
run: cat ${{ steps.scan_app.outputs.sarif }}
|
|
- name: Scan application
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
path: "."
|
|
fail-build: true
|
|
only-fixed: true
|
|
severity-cutoff: critical
|