Skip to content

Services docker images BoM/CVE scan on manual event #6

Services docker images BoM/CVE scan on manual event

Services docker images BoM/CVE scan on manual event #6

# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Services docker images BoM/CVE scan on manual event
on:
workflow_dispatch:
inputs:
services:
default: "asr"
description: "List of services to test [agent_langchain,asr,chathistory_mongo,dataprep_milvus...]" #,embeddings,guardrails,llms,lvms,prompt_registry,ragas,reranks,retrievers,tts,vectorstores,web_retrievers]"
required: false
type: string
images:
default: ""
description: "List of images to scan [dataprep-pgvector,dataprep-pinecone...]"
required: false
type: string
tag:
default: "comps"
description: "Tag to apply to images"
required: true
type: string
sbom-scan:
default: true
description: "Enable sbom-scan"
required: false
type: boolean
trivy-scan:
default: true
description: "Enable trivy-scan"
required: false
type: boolean
mode:
default: "CD"
description: "Whether the test range is CI or CD"
required: false
type: string
permissions: read-all
jobs:
get-image-list:
uses: ./.github/workflows/_get-image-list.yml
with:
services: ${{ inputs.services }}
images: ${{ inputs.images }}
mode: ${{ inputs.mode }}
scan-docker:
needs: get-image-list
runs-on: "docker-build-gaudi"
strategy:
matrix:
image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
fail-fast: false
steps:
- name: Pull Image
run: |
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
- name: SBOM Scan Container
uses: anchore/[email protected]
if: ${{ fromJSON(inputs.sbom-scan) }}
with:
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output-file: ${{ matrix.image }}-sbom-scan.txt
format: "spdx-json"
- name: Security Scan Container
uses: aquasecurity/[email protected]
if: ${{ fromJSON(inputs.trivy-scan) }}
with:
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output: ${{ matrix.image }}-trivy-scan.txt
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Cleanup
if: always()
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
- name: Collect Logs
if: always()
run: |
mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
upload-artifacts:
needs: scan-docker
runs-on: "docker-build-gaudi"
if: always()
steps:
- uses: actions/[email protected]
with:
name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
overwrite: true
- uses: actions/[email protected]
with:
name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
overwrite: true
- name: Remove Logs
run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*