Services docker images BoM/CVE scan on manual event #13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2024 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Services docker images BoM/CVE scan on manual event | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| services: | |
| default: "asr" | |
| description: "List of services to test [agent_langchain,asr,chathistory_mongo,dataprep_milvus...]" #,embeddings,guardrails,llms,lvms,prompt_registry,ragas,reranks,retrievers,tts,vectorstores,web_retrievers]" | |
| required: false | |
| type: string | |
| images: | |
| default: "" | |
| description: "List of images to scan [dataprep-pgvector,dataprep-pinecone...]" | |
| required: false | |
| type: string | |
| tag: | |
| default: "comps" | |
| description: "Tag to apply to images" | |
| required: true | |
| type: string | |
| sbom-scan: | |
| default: true | |
| description: "Enable sbom-scan" | |
| required: false | |
| type: boolean | |
| trivy-scan: | |
| default: true | |
| description: "Enable trivy-scan" | |
| required: false | |
| type: boolean | |
| mode: | |
| default: "CD" | |
| description: "Whether the test range is CI, CD or CICD" | |
| required: false | |
| type: string | |
| permissions: read-all | |
| jobs: | |
| get-image-list: | |
| uses: ./.github/workflows/_get-image-list.yml | |
| with: | |
| services: ${{ inputs.services }} | |
| images: ${{ inputs.images }} | |
| mode: ${{ inputs.mode }} | |
| scan-docker: | |
| needs: get-image-list | |
| runs-on: "docker-build-gaudi" | |
| strategy: | |
| matrix: | |
| image: ${{ fromJson(needs.get-image-list.outputs.matrix) }} | |
| fail-fast: false | |
| steps: | |
| - name: Pull Image | |
| run: | | |
| docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV | |
| - name: SBOM Scan Container | |
| uses: anchore/[email protected] | |
| if: ${{ fromJSON(inputs.sbom-scan) }} | |
| with: | |
| image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| output-file: ${{ matrix.image }}-sbom-scan.txt | |
| format: "spdx-json" | |
| - name: Security Scan Container | |
| uses: aquasecurity/[email protected] | |
| if: ${{ fromJSON(inputs.trivy-scan) }} | |
| with: | |
| image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| output: ${{ matrix.image }}-trivy-scan.txt | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Cleanup | |
| if: always() | |
| run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| - name: Collect Logs | |
| if: always() | |
| run: | | |
| mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} | |
| mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} | |
| upload-artifacts: | |
| needs: scan-docker | |
| runs-on: "docker-build-gaudi" | |
| if: always() | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }} | |
| path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt | |
| overwrite: true | |
| - uses: actions/[email protected] | |
| with: | |
| name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }} | |
| path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt | |
| overwrite: true | |
| - name: Remove Logs | |
| run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-* |