-
Notifications
You must be signed in to change notification settings - Fork 180
113 lines (102 loc) · 3.55 KB
/
manual-docker-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Examples docker images BoM/CVE scan on manual event
on:
workflow_dispatch:
inputs:
node:
default: "gaudi"
description: "Hardware to run scan"
required: true
type: string
examples:
default: "ChatQnA"
description: 'List of examples to scan [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]'
required: false
type: string
images:
default: "gmcmanager,gmcrouter"
description: 'List of images to scan [gmcmanager,gmcrouter, ...]'
required: false
type: string
tag:
default: "latest"
description: "Tag for images to scan"
required: true
type: string
sbom_scan:
default: true
description: 'Scan images for BoM'
required: false
type: boolean
trivy_scan:
default: true
description: 'Scan images for CVE'
required: false
type: boolean
permissions: read-all
jobs:
get-image-list:
uses: ./.github/workflows/_get-image-list.yml
with:
examples: ${{ inputs.examples }}
images: ${{ inputs.images }}
scan-docker:
needs: get-image-list
runs-on: "docker-build-${{ inputs.node }}"
strategy:
matrix:
image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
fail-fast: false
steps:
- name: Clean up Working Directory
run: |
sudo rm -rf ${{github.workspace}}/* || true
docker system prune -f
- name: Pull Image
run: |
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
- name: SBOM Scan Container
uses: anchore/sbom-action@v0.17.1
if: ${{ inputs.sbom_scan }}
with:
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output-file: ${{ matrix.image }}-sbom-scan.txt
format: 'spdx-json'
- name: Security Scan Container
uses: aquasecurity/trivy-action@0.24.0
if: ${{ inputs.trivy_scan }}
with:
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output: ${{ matrix.image }}-trivy-scan.txt
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Cleanup
if: always()
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true
- name: Collect Logs
if: always()
run: |
mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
upload-artifacts:
needs: scan-docker
runs-on: "docker-build-${{ inputs.node }}"
if: always()
steps:
- uses: actions/upload-artifact@v4.3.4
with:
name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
overwrite: true
- uses: actions/upload-artifact@v4.3.4
with:
name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
overwrite: true
- name: Remove Logs
run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*