Skip to content

Commit

Permalink
ci: Add security scanning
Browse files Browse the repository at this point in the history 
Add two GitHub Actions workflows, that perform the following checks:

* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the current/main branch.
* Build and security scan the Dangerzone container image for the
  current/main branch.
* Security scan the Python dependencies of the Dangerzone application
  (`poetry.lock`), for the latest release of Dangerzone (currently
  v0.4.1).
* Download and security scan the Dangerzone container image for the
  latest release of Dangerzone (currently v0.4.1).

The first two checks will run on branch pushes, PRs, and nightly. The
last two checks will run only nightly, since the code in the current
branch cannot affect already released artifacts.

Also, besides the security scans, these workflows will also update the
Security alerts in the GitHub page for the Dangerzone project, and print
the SARIF report to the stdout, for debugging purposes.

Closes #222
  • Loading branch information
@apyrgio
apyrgio committed May 17, 2023
1 parent 1a82962 commit 75be9b5
Show file tree
Hide file tree
Showing 3 changed files with 152 additions and 0 deletions.
70 changes: 70 additions & 0 deletions .github/workflows/scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Scan latest app and container
on:
push:
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * *' # Run every day at 00:00 UTC.

jobs:
security-scan-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build container image
run: docker build container --tag dangerzone.rocks/dangerzone:latest
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
uses: anchore/scan-action@v3
id: scan_container
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload container scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_container.outputs.sarif }}
category: container
- name: Inspect container scan report
run: cat ${{ steps.scan_container.outputs.sarif }}
- name: Scan container image
uses: anchore/scan-action@v3
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: true
only-fixed: true
severity-cutoff: critical

security-scan-app:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan application (no fail)
uses: anchore/scan-action@v3
id: scan_app
with:
path: "."
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload application scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_app.outputs.sarif }}
category: app
- name: Inspect application scan report
run: cat ${{ steps.scan_app.outputs.sarif }}
- name: Scan application
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
only-fixed: true
severity-cutoff: critical
77 changes: 77 additions & 0 deletions .github/workflows/scan_released.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
name: Scan released app and container
on:
schedule:
- cron: '0 0 * * *' # Run every day at 00:00 UTC.

jobs:
security-scan-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Download container image for the latest release
run: |
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
- name: Load container image
run: docker load -i container.tar.gz
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
uses: anchore/scan-action@v3
id: scan_container
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload container scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_container.outputs.sarif }}
category: container
- name: Inspect container scan report
run: cat ${{ steps.scan_container.outputs.sarif }}
- name: Scan container image
uses: anchore/scan-action@v3
with:
image: "dangerzone.rocks/dangerzone:latest"
fail-build: true
only-fixed: true
severity-cutoff: critical

security-scan-app:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Checkout the latest released tag
run: |
VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
git checkout $VERSION
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan application (no fail)
uses: anchore/scan-action@v3
id: scan_app
with:
path: "."
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: Upload application scan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan_app.outputs.sarif }}
category: app
- name: Inspect application scan report
run: cat ${{ steps.scan_app.outputs.sarif }}
- name: Scan application
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
only-fixed: true
severity-cutoff: critical
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or

## [Unreleased]

### Security

- Continuously scan our Python dependencies and container image for
vulnerabilities ([issue #222](https://github.com/freedomofpress/dangerzone/issues/222))

## Dangerzone 0.4.1

### Added
Expand Down

0 comments on commit 75be9b5

Please sign in to comment.