Security Scanner to build using build-image.py

freedomofpress · Dec 19, 2023 · a936545 · a936545
1 parent 75d4098
commit a936545
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Build container image
-        run: docker build dangerzone/ -f Dockerfile --tag dangerzone.rocks/dangerzone:latest
+        run: sudo apt install pipx && pipx install poetry && python3 ./install/common/build-image.py
       # NOTE: Scan first without failing, else we won't be able to read the scan
       # report.
       - name: Scan container image (no fail)

diff --git a/install/common/build-image.py b/install/common/build-image.py
@@ -72,9 +72,12 @@ def main():
 
 
 def export_container_pip_dependencies():
-    container_requirements_txt = subprocess.check_output(
-        ["poetry", "export", "--only", "container"], universal_newlines=True
-    )
+    try:
+        container_requirements_txt = subprocess.check_output(
+            ["poetry", "export", "--only", "container"], universal_newlines=True
+        )
+    except subprocess.CalledProcessError as e:
+        print("FAILURE", e.returncode, e.output)
     # XXX Export container dependencies and exclude pymupdfb since it is not needed in container
     req_txt_pymupdfb_stripped = container_requirements_txt.split("pymupdfb")[0]
     with open(Path(BUILD_CONTEXT) / REQUIREMENTS_TXT, "w") as f: