mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
75be9b5c00
Add two GitHub Actions workflows, that perform the following checks: * Security scan the Python dependencies of the Dangerzone application (`poetry.lock`), for the current/main branch. * Build and security scan the Dangerzone container image for the current/main branch. * Security scan the Python dependencies of the Dangerzone application (`poetry.lock`), for the latest release of Dangerzone (currently v0.4.1). * Download and security scan the Dangerzone container image for the latest release of Dangerzone (currently v0.4.1). The first two checks will run on branch pushes, PRs, and nightly. The last two checks will run only nightly, since the code in the current branch cannot affect already released artifacts. Also, besides the security scans, these workflows will also update the Security alerts in the GitHub page for the Dangerzone project, and print the SARIF report to the stdout, for debugging purposes. Closes #222
77 lines
2.6 KiB
YAML
77 lines
2.6 KiB
YAML
name: Scan released app and container
|
|
on:
|
|
schedule:
|
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
|
|
|
jobs:
|
|
security-scan-container:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
- name: Download container image for the latest release
|
|
run: |
|
|
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
|
|
wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
|
|
- name: Load container image
|
|
run: docker load -i container.tar.gz
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan container image (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_container
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: false
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
- name: Upload container scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_container.outputs.sarif }}
|
|
category: container
|
|
- name: Inspect container scan report
|
|
run: cat ${{ steps.scan_container.outputs.sarif }}
|
|
- name: Scan container image
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: true
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
|
|
security-scan-app:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Checkout the latest released tag
|
|
run: |
|
|
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
|
|
git checkout $VERSION
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan application (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_app
|
|
with:
|
|
path: "."
|
|
fail-build: false
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
- name: Upload application scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_app.outputs.sarif }}
|
|
category: app
|
|
- name: Inspect application scan report
|
|
run: cat ${{ steps.scan_app.outputs.sarif }}
|
|
- name: Scan application
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
path: "."
|
|
fail-build: true
|
|
only-fixed: true
|
|
severity-cutoff: critical
|