dangerzone/.github/workflows/scan_released.yml

name: Scan released app and container
on:
  schedule:
    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
  workflow_dispatch:
  push:

jobs:
  security-scan-container:
    strategy:
      matrix:
        include:
          - runs-on: ubuntu-latest
            arch: i686
          - runs-on: macos-latest
            arch: arm64
    runs-on: ${{ matrix.runs-on }}
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Docker and Colima (macOS only)
        if: runner.os == 'macOS'
        run: |
          brew install docker colima qemu
          # LIMACTL_PATH=$(brew --prefix)/bin/limactl
          # sudo curl -L -o $LIMACTL_PATH https://github.com/mikekazakov/lima-nohvf/raw/master/limactl && sudo chmod +x $LIMACTL_PATH
          colima start --network-address --arch arm64 --vm-type=qemu
          # Wait for Docker daemon to be ready
          timeout=30
          while ! docker info >/dev/null 2>&1; do
            if [ $timeout -le 0 ]; then
              echo "Timed out waiting for Docker daemon"
              exit 1
            fi
            timeout=$((timeout-1))
            sleep 1
          done
                    
      - name: Download container image for the latest release and load it
        run: |
          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4)
          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
          docker load -i ${CONTAINER_FILENAME}          

      # NOTE: Scan first without failing, else we won't be able to read the scan
      # report.
      - name: Scan container image (no fail)
        uses: anchore/scan-action@v5
        id: scan_container
        with:
          image: "dangerzone.rocks/dangerzone:latest"
          fail-build: false
          only-fixed: false
          severity-cutoff: critical

      - name: Upload container scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan_container.outputs.sarif }}
          category: container-${{ matrix.arch }}

      - name: Inspect container scan report
        run: cat ${{ steps.scan_container.outputs.sarif }}

      - name: Scan container image
        uses: anchore/scan-action@v5
        with:
          image: "dangerzone.rocks/dangerzone:latest"
          fail-build: true
          only-fixed: false
          severity-cutoff: critical

      - name: Cleanup Colima (macOS only)
        if: runner.os == 'macOS'
        run: colima stop

  security-scan-app:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Checkout the latest released tag
        run: |
          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
          git checkout $VERSION          
      # NOTE: Scan first without failing, else we won't be able to read the scan
      # report.
      - name: Scan application (no fail)
        uses: anchore/scan-action@v5
        id: scan_app
        with:
          path: "."
          fail-build: false
          only-fixed: false
          severity-cutoff: critical
      - name: Upload application scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan_app.outputs.sarif }}
          category: app
      - name: Inspect application scan report
        run: cat ${{ steps.scan_app.outputs.sarif }}
      - name: Scan application
        uses: anchore/scan-action@v5
        with:
          path: "."
          fail-build: true
          only-fixed: false
          severity-cutoff: critical