diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index abfcae5..1c25f30 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -9,7 +9,7 @@ on: workflow_dispatch: jobs: - scan-python: + scan: name: Scan Python official base image runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} @@ -32,62 +32,12 @@ jobs: template: "@.github/workflows/scan/html.tpl" exit-code: '1' ignore-unfixed: true - output: "trivy-results-python.html" + output: "trivy-results.html" - name: Upload Artifact uses: actions/upload-artifact@v4 if: always() with: - name: trivy-results-python - path: trivy-results-python.html + name: trivy-results + path: trivy-results.html retention-days: 90 - - scan-ubi: - name: Scan Red Hat UBI base image - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - sparse-checkout: | - .github/workflows/scan/html.tpl - sparse-checkout-cone-mode: false - - - name: Run Trivy vulnerability scanner for UBI image - uses: aquasecurity/trivy-action@0.16.1 - with: - image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model" - vuln-type: "os,library" - scanners: vuln - severity: "CRITICAL,HIGH" - format: "template" - template: "@.github/workflows/scan/html.tpl" - ignore-unfixed: true - output: "trivy-results-ubi.html" - - - name: Upload Artifact - uses: actions/upload-artifact@v4 - with: - name: trivy-results-ubi - path: trivy-results-ubi.html - retention-days: 90 - - - name: Run Trivy vulnerability scanner for UBI image (SARIF) - uses: aquasecurity/trivy-action@master - if: always() - with: - image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model" - vuln-type: "os,library" - scanners: vuln - severity: "CRITICAL,HIGH" - format: 'sarif' - exit-code: '1' - ignore-unfixed: true - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scan_ubi.yml b/.github/workflows/scan_ubi.yml new file mode 100644 index 0000000..f753b01 --- /dev/null +++ b/.github/workflows/scan_ubi.yml @@ -0,0 +1,60 @@ +name: scan + +on: + workflow_run: + workflows: [docker_publish] + types: [completed] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + scan-ubi: + name: Scan Red Hat UBI base image + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + sparse-checkout: | + .github/workflows/scan/html.tpl + sparse-checkout-cone-mode: false + + - name: Run Trivy vulnerability scanner for UBI image + uses: aquasecurity/trivy-action@0.16.1 + with: + image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model" + vuln-type: "os,library" + scanners: vuln + severity: "CRITICAL,HIGH" + format: "template" + template: "@.github/workflows/scan/html.tpl" + ignore-unfixed: true + output: "trivy-results-ubi.html" + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-results-ubi + path: trivy-results-ubi.html + retention-days: 90 + + - name: Run Trivy vulnerability scanner for UBI image (SARIF) + uses: aquasecurity/trivy-action@master + if: always() + with: + image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model" + vuln-type: "os,library" + scanners: vuln + severity: "CRITICAL,HIGH" + format: 'sarif' + exit-code: '1' + ignore-unfixed: true + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' diff --git a/README.md b/README.md index 2641032..196900c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # docker-whisperX -[![CodeFactor](https://www.codefactor.io/repository/github/jim60105/docker-whisperx/badge)](https://www.codefactor.io/repository/github/jim60105/docker-whisperx) ![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/docker_publish.yml?label=DOCKER%20BUILD) [![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan.yml?label=IMAGE%20SCAN)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan.yml) +[![CodeFactor](https://www.codefactor.io/repository/github/jim60105/docker-whisperx/badge)](https://www.codefactor.io/repository/github/jim60105/docker-whisperx) ![Docker Build](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/docker_publish.yml?label=Docker%20Build) [![Image Scan](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan.yml?label=Image%20Scan)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan.yml) [![Image Scan UBI](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan_ubi.yml?label=Image%20Scan%20UBI)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan_ubi.yml) This is the docker image for [WhisperX: Automatic Speech Recognition with Word-Level Timestamps (and Speaker Diarization)](https://github.com/m-bain/whisperX) from the community. @@ -114,6 +114,8 @@ docker run --gpus all -it -v ".:/app" whisperx:large-v3-ja -- --output_format sr ## ⛑️ Red Hat UBI based Image +[![Image Scan UBI](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan_ubi.yml?label=Image%20Scan%20UBI)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan_ubi.yml) + I have created an alternative [ubi.Dockerfile](ubi.Dockerfile) that is based on the **Red Hat Universal Base Image (UBI)** image, unlike the default one which used the **Python official image** as the base image. If you are a Red Hat subscriber, I believe you will find its benefits. > [!TIP]