mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-05-02 11:42:23 +02:00
7f50ad2e48
Our security scans previously alerted us on critical CVEs that have a fix. In this commit, we ask to be alerted on CVEs that don't have a fix yet, so that we can have them in our radar. Since the introduction of these security checks, we have only once encountered a case where our container was vulnerable to a CVE that Alpine Linux had not fixed yet. This means that the maintenance burden of this change will probably be minimal.
70 lines
2.2 KiB
YAML
70 lines
2.2 KiB
YAML
name: Scan latest app and container
|
|
on:
|
|
push:
|
|
pull_request:
|
|
branches: [ main ]
|
|
schedule:
|
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
|
|
|
jobs:
|
|
security-scan-container:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
- name: Build container image
|
|
run: docker build dangerzone/ -f Dockerfile --tag dangerzone.rocks/dangerzone:latest
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan container image (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_container
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload container scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_container.outputs.sarif }}
|
|
category: container
|
|
- name: Inspect container scan report
|
|
run: cat ${{ steps.scan_container.outputs.sarif }}
|
|
- name: Scan container image
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:latest"
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
|
|
security-scan-app:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan application (no fail)
|
|
uses: anchore/scan-action@v3
|
|
id: scan_app
|
|
with:
|
|
path: "."
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload application scan report
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: ${{ steps.scan_app.outputs.sarif }}
|
|
category: app
|
|
- name: Inspect application scan report
|
|
run: cat ${{ steps.scan_app.outputs.sarif }}
|
|
- name: Scan application
|
|
uses: anchore/scan-action@v3
|
|
with:
|
|
path: "."
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|