Examples docker images BoM/CVE scan on manual event #16
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2024 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Examples docker images BoM/CVE scan on manual event | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| node: | |
| default: "gaudi" | |
| description: "Hardware to run scan" | |
| required: true | |
| type: string | |
| examples: | |
| default: "ChatQnA" | |
| description: 'List of examples to scan [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]' | |
| required: false | |
| type: string | |
| images: | |
| default: "gmcmanager,gmcrouter" | |
| description: 'List of images to scan [gmcmanager,gmcrouter, ...]' | |
| required: false | |
| type: string | |
| tag: | |
| default: "latest" | |
| description: "Tag for images to scan" | |
| required: true | |
| type: string | |
| sbom_scan: | |
| default: true | |
| description: 'Scan images for BoM' | |
| required: false | |
| type: boolean | |
| trivy_scan: | |
| default: true | |
| description: 'Scan images for CVE' | |
| required: false | |
| type: boolean | |
| permissions: read-all | |
| jobs: | |
| get-image-list: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.scan-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout out Repo | |
| uses: actions/checkout@v4 | |
| - name: Set Matrix | |
| id: scan-matrix | |
| run: | | |
| image_list=[] | |
| if [[ ! -z "${{ inputs.examples }}" ]]; then | |
| pip install yq | |
| examples=($(echo ${{ inputs.examples }} | tr ',' ' ')) | |
| for example in ${examples[@]} | |
| do | |
| images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.') | |
| image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images})) | |
| done | |
| fi | |
| if [[ ! -z "${{ inputs.images }}" ]]; then | |
| images=($(echo ${{ inputs.images }} | tr ',' ' ')) | |
| input_image_list=$(printf '%s\n' "${images[@]}" | sort -u | jq -R '.' | jq -sc '.') | |
| image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${input_image_list})) | |
| fi | |
| echo "print image list..." | |
| echo "$image_list" | jq . | jq -r '.[]' | |
| echo "end of image list..." | |
| echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT | |
| scan-docker: | |
| needs: get-image-list | |
| runs-on: "docker-build-${{ inputs.node }}" | |
| strategy: | |
| matrix: | |
| image: ${{ fromJson(needs.get-image-list.outputs.matrix) }} | |
| fail-fast: false | |
| steps: | |
| - name: Clean up Working Directory | |
| run: | | |
| sudo rm -rf ${{github.workspace}}/* || true | |
| docker system prune -f | |
| - name: Pull Image | |
| run: | | |
| docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV | |
| - name: SBOM Scan Container | |
| uses: anchore/sbom-action@v0.17.1 | |
| if: ${{ inputs.sbom_scan }} | |
| with: | |
| image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| output-file: ${{ matrix.image }}-sbom-scan.txt | |
| format: 'spdx-json' | |
| - name: Security Scan Container | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| if: ${{ inputs.trivy_scan }} | |
| with: | |
| image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| output: ${{ matrix.image }}-trivy-scan.txt | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Cleanup | |
| if: always() | |
| run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true | |
| - name: Collect Logs | |
| if: always() | |
| run: | | |
| mkdir -p /tmp/scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER} | |
| mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER} | |
| upload-artifacts: | |
| needs: scan-docker | |
| runs-on: "docker-build-${{ inputs.node }}" | |
| steps: | |
| - uses: actions/upload-artifact@v4.3.4 | |
| if: always() | |
| with: | |
| name: sbom-scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER} | |
| path: /tmp/scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER}/*-sbom-scan.txt | |
| overwrite: true | |
| - uses: actions/upload-artifact@v4.3.4 | |
| if: always() | |
| with: | |
| name: trivy-scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER} | |
| path: /tmp/scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER}/*-trivy-scan.txt | |
| overwrite: true | |
| - name: Remove Logs | |
| if: always() | |
| run: rm -rf /tmp/scan-${{ inputs.tag }}-${GITHUB_RUN_NUMBER} && rm -rf /tmp/sbom-action-* |