almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-06 13:31:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
dangerzone/.github/workflows/scan.yml
Workflow config file is invalid. Please check your config file: yaml: unmarshal errors: line 50: mapping key "fail-build" already defined at line 49
Alex Pyrgiotis bd72b6a93b
ci: Work with image tarballs that are not tagged as 'latest' 
Now that our image tarball is not tagged as 'latest', we must first grab
the image tag first, and then refer to it. We can grab the tag either
from `share/image-id.txt` (if available) or with:

    docker load dangerzone.rocks/dangerzone --format {{ .Tag }}
2024-12-04 18:11:44 +02:00

82 lines
2.6 KiB
YAML
Raw Blame History

name: Scan latest app and container
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
workflow_dispatch:
jobs:
security-scan-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install container build dependencies
run: sudo apt install pipx && pipx install poetry
- name: Build container image
run: python3 ./install/common/build-image.py --runtime docker --no-save
- name: Get image tag
id: tag
run: |
tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}')
echo "tag=$tag" >> $GITHUB_OUTPUT
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
uses: anchore/scan-action@v5
id: scan_container
with:
image: "dangerzone.rocks/dangerzone:{{ steps.tag.outputs.tag }}"
fail-build: false
only-fixed: false
severity-cutoff: critical
- name: Upload container scan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan_container.outputs.sarif }}
category: container
- name: Inspect container scan report
run: cat ${{ steps.scan_container.outputs.sarif }}
- name: Scan container image
uses: anchore/scan-action@v5
with:
image: "dangerzone.rocks/dangerzone:{{ steps.tag.outputs.tag }}"
fail-build: false
fail-build: true
only-fixed: false
severity-cutoff: critical
security-scan-app:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan application (no fail)
uses: anchore/scan-action@v5
id: scan_app
with:
path: "."
fail-build: false
only-fixed: false
severity-cutoff: critical
- name: Upload application scan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan_app.outputs.sarif }}
category: app
- name: Inspect application scan report
run: cat ${{ steps.scan_app.outputs.sarif }}
- name: Scan application
uses: anchore/scan-action@v5
with:
path: "."
fail-build: true
only-fixed: false
severity-cutoff: critical
Reference in a new issue View git blame Copy permalink