optimize image scan cd workflow (#699)

Signed-off-by: chensuyue <[email protected]>

.github/workflows/_example-workflow.yml

@@ -20,10 +20,6 @@ on:
         default: true
         required: false
         type: boolean
-      scan:
-        default: true
-        required: false
-        type: boolean
       test_compose:
         default: false
         required: false
@@ -75,56 +71,6 @@ jobs:
           registry: ${OPEA_IMAGE_REPO}opea
           tag: ${{ inputs.tag }}
 
-####################################################################################################
-# Trivy Scan
-####################################################################################################
-  get-image-list:
-    needs: [build-images]
-    if: ${{ fromJSON(inputs.scan) && inputs.node == 'gaudi' }}
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.scan-matrix.outputs.matrix }}
-    steps:
-      - name: Checkout out Repo
-        uses: actions/checkout@v4
-
-      - name: Set Matrix
-        id: scan-matrix
-        run: |
-          pip install yq
-          compose_path=${{ github.workspace }}/${{ inputs.example }}/docker/docker_build_compose.yaml
-          echo "matrix=$(cat ${compose_path} | yq -r '.[]' | jq 'keys' | jq -c '.')" >> $GITHUB_OUTPUT
-
-  scan-images:
-    needs: [get-image-list, build-images]
-    if: ${{ fromJSON(inputs.scan) && inputs.node == 'gaudi'}}
-    runs-on: "docker-build-${{ inputs.node }}"
-    strategy:
-      matrix:
-        image: ${{ fromJSON(needs.get-image-list.outputs.matrix) }}
-      fail-fast: false
-    steps:
-      - name: Pull Image
-        run: |
-          docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
-          echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
-
-      - name: Scan Container
-        uses: opea-project/validation/actions/trivy-scan@main
-        with:
-          image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
-          output: ${{ matrix.image }}-scan.txt
-
-      - name: Cleanup
-        if: always()
-        run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
-
-      - uses: actions/[email protected]
-        with:
-          name: ${{ matrix.image }}-scan
-          path: ${{ matrix.image }}-scan.txt
-          overwrite: true
-
 ####################################################################################################
 # Docker Compose Test
 ####################################################################################################

.github/workflows/manual-bom-scan.yml → .github/workflows/manual-docker-scan.yml

@@ -1,25 +1,40 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-name: Examples docker images BoM scan on manual event
+name: Examples docker images BoM/CVE scan on manual event
 on:
   workflow_dispatch:
     inputs:
       node:
         default: "gaudi"
-        description: "Hardware to run test"
+        description: "Hardware to run scan"
         required: true
         type: string
       examples:
         default: "ChatQnA"
-        description: 'List of examples to test [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]'
+        description: 'List of examples to scan [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]'
         required: true
         type: string
+      images:
+        default: ""
+        description: 'List of images to scan'
+        required: false
+        type: string
       tag:
         default: "latest"
-        description: "Tag to apply to images"
+        description: "Tag for images to scan"
         required: true
         type: string
+      sbom_scan:
+        default: true
+        description: 'Scan images for BoM'
+        required: false
+        type: boolean
+      trivy_scan:
+        default: true
+        description: 'Scan images for CVE'
+        required: false
+        type: boolean
 
 permissions: read-all
 jobs:
@@ -34,18 +49,28 @@ jobs:
       - name: Set Matrix
         id: scan-matrix
         run: |
-          pip install yq
-          examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
-          image_list=[]
-          for example in ${examples[@]}
-          do
-              images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
-              image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
-          done
+          if [[ ! -z "${{ inputs.images }}" ]]; then
+              images=($(echo ${{ inputs.images }} | tr ',' ' '))
+              image_list=$(printf '%s\n' "${images[@]}" | sort -u | jq -R '.' | jq -sc '.')
+          else
+              pip install yq
+              examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
+              image_list=[]
+              for example in ${examples[@]}
+              do
+                  images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
+                  image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
+              done
+          fi
+
+          echo "print image list..."
+          echo "$image_list" | jq . | jq -r '.[]'
+          echo "end of image list..."
           echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT
 
   scan-license:
     needs: get-image-list
+    if: ${{ fromJSON(inputs.sbom_scan) }} || ${{ fromJSON(inputs.trivy_scan) }}
     runs-on: "docker-build-${{ inputs.node }}"
     strategy:
       matrix:
@@ -59,15 +84,15 @@ jobs:
 
       - name: SBOM Scan Container
         uses: anchore/[email protected]
-        if: always()
+        if: always() && ${{ inputs.sbom_scan }}
         with:
           image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
           output-file: ${{ matrix.image }}-sbom-scan.txt
           format: 'spdx-json'
 
       - name: Security Scan Container
         uses: aquasecurity/[email protected]
-        if: always()
+        if: always() && ${{ inputs.trivy_scan }}
         with:
           image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
           output: ${{ matrix.image }}-trivy-scan.txt
@@ -82,8 +107,15 @@ jobs:
         run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
 
       - uses: actions/[email protected]
-        if: always()
+        if: always() && (${{ inputs.sbom_scan }}
+        with:
+          name: sbom-scan
+          path: ${{ matrix.image }}-*-sbom-scan.txt
+          overwrite: true
+
+      - uses: actions/[email protected]
+        if: always() && (${{ inputs.trivy_scan }}
         with:
-          name: ${{ matrix.image }}-scan
-          path: ${{ matrix.image }}-*-scan.txt
+          name: trivy-scan
+          path: ${{ matrix.image }}-*-trivy-scan.txt
           overwrite: true

.github/workflows/manual-example-workflow.yml

@@ -30,11 +30,6 @@ on:
         description: 'Build test required images for Examples'
         required: false
         type: boolean
-      scan:
-        default: true
-        description: 'Scan all images with Trivy'
-        required: false
-        type: boolean
       test_compose:
         default: true
         description: 'Test examples with docker compose'
@@ -102,7 +97,6 @@ jobs:
       example: ${{ matrix.example }}
       tag: ${{ inputs.tag }}
       build: ${{ fromJSON(inputs.build) }}
-      scan: ${{ fromJSON(inputs.scan) }}
       test_compose: ${{ fromJSON(inputs.test_compose) }}
       test_k8s: ${{ fromJSON(inputs.test_k8s) }}
       test_gmc: ${{ fromJSON(inputs.test_gmc) }}