-
Notifications
You must be signed in to change notification settings - Fork 197
140 lines (126 loc) · 4.69 KB
/
manual-docker-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Examples docker images BoM/CVE scan on manual event
on:
workflow_dispatch:
inputs:
node:
default: "gaudi"
description: "Hardware to run scan"
required: true
type: string
examples:
default: "ChatQnA"
description: 'List of examples to scan [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]'
required: false
type: string
images:
default: "gmcmanager,gmcrouter"
description: 'List of images to scan [gmcmanager,gmcrouter, ...]'
required: false
type: string
tag:
default: "latest"
description: "Tag for images to scan"
required: true
type: string
sbom_scan:
default: true
description: 'Scan images for BoM'
required: false
type: boolean
trivy_scan:
default: true
description: 'Scan images for CVE'
required: false
type: boolean
permissions: read-all
jobs:
get-image-list:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.scan-matrix.outputs.matrix }}
steps:
- name: Checkout out Repo
uses: actions/checkout@v4
- name: Set Matrix
id: scan-matrix
run: |
image_list=[]
if [[ ! -z "${{ inputs.examples }}" ]]; then
pip install yq
examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
for example in ${examples[@]}
do
images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
done
fi
if [[ ! -z "${{ inputs.images }}" ]]; then
images=($(echo ${{ inputs.images }} | tr ',' ' '))
input_image_list=$(printf '%s\n' "${images[@]}" | sort -u | jq -R '.' | jq -sc '.')
image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${input_image_list}))
fi
echo "print image list..."
echo "$image_list" | jq . | jq -r '.[]'
echo "end of image list..."
echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT
scan-docker:
needs: get-image-list
runs-on: "docker-build-${{ inputs.node }}"
strategy:
matrix:
image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
fail-fast: false
steps:
- name: Clean up Working Directory
run: |
sudo rm -rf ${{github.workspace}}/* || true
docker system prune -f
- name: Pull Image
run: |
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
- name: SBOM Scan Container
uses: anchore/[email protected]
if: ${{ inputs.sbom_scan }}
with:
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output-file: ${{ matrix.image }}-sbom-scan.txt
format: 'spdx-json'
- name: Security Scan Container
uses: aquasecurity/[email protected]
if: ${{ inputs.trivy_scan }}
with:
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output: ${{ matrix.image }}-trivy-scan.txt
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Cleanup
if: always()
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true
- name: Collect Logs
if: always()
run: |
mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
upload-artifacts:
needs: scan-docker
runs-on: "docker-build-${{ inputs.node }}"
if: always()
steps:
- uses: actions/[email protected]
with:
name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
overwrite: true
- uses: actions/[email protected]
with:
name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
overwrite: true
- name: Remove Logs
run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*