From 7ed0dfdf17515093abdcffa8250082eb1109e9dd Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Fri, 29 Dec 2023 18:56:57 +0200
Subject: [PATCH] WIP: Add Trivy job

---
 .github/workflows/scan.trivy.yml          | 70 +++++++++++++++++++++++
 .github/workflows/scan_released.trivy.yml | 60 +++++++++++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 .github/workflows/scan.trivy.yml
 create mode 100644 .github/workflows/scan_released.trivy.yml

diff --git a/.github/workflows/scan.trivy.yml b/.github/workflows/scan.trivy.yml
new file mode 100644
index 000000000..531d27dae
--- /dev/null
+++ b/.github/workflows/scan.trivy.yml
@@ -0,0 +1,70 @@
+name: Scan latest app and container (Trivy)
+on:
+  push:
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build container image
+        run: docker build dangerzone/ -f Dockerfile --tag dangerzone.rocks/dangerzone:latest
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan container image (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_container
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: false
+          only-fixed: false
+          severity-cutoff: critical
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_container.outputs.sarif }}
+          category: container
+      - name: Inspect container scan report
+        run: cat ${{ steps.scan_container.outputs.sarif }}
+      - name: Scan container image
+        uses: anchore/scan-action@v3
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: true
+          only-fixed: false
+          severity-cutoff: critical
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan application (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_app
+        with:
+          path: "."
+          fail-build: false
+          only-fixed: false
+          severity-cutoff: critical
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_app.outputs.sarif }}
+          category: app
+      - name: Inspect application scan report
+        run: cat ${{ steps.scan_app.outputs.sarif }}
+      - name: Scan application
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true
+          only-fixed: false
+          severity-cutoff: critical
diff --git a/.github/workflows/scan_released.trivy.yml b/.github/workflows/scan_released.trivy.yml
new file mode 100644
index 000000000..a3c6cc128
--- /dev/null
+++ b/.github/workflows/scan_released.trivy.yml
@@ -0,0 +1,60 @@
+name: Scan released app and container (Trivy)
+on:
+  push:
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Download container image for the latest release
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+      - name: Scan container image
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: /github/workspace/container.tar.gz
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          category: container
+      - name: Inspect container scan report
+        if: always()
+        run: cat trivy-results.sarif
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Checkout the latest released tag
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          git checkout $VERSION
+      - name: Scan application
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          category: app
+      - name: Inspect application scan report
+        if: always()
+        run: cat trivy-results.sarif