Skip to content

Commit 0d49244

Browse files
authored
Add Scan Container. (#560)
Signed-off-by: zepan <[email protected]>
1 parent 5fb4a38 commit 0d49244

File tree

2 files changed

+92
-2
lines changed

2 files changed

+92
-2
lines changed

.github/workflows/manual-bom-scan.yml

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
# Copyright (C) 2024 Intel Corporation
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
name: Comps docker images BoM scan on manual event
5+
on:
6+
workflow_dispatch:
7+
inputs:
8+
services:
9+
default: "asr"
10+
description: "List of services to test [agent_langchain,asr,chathistory_mongo,dataprep_milvus...]" #,embeddings,guardrails,knowledgegraphs,llms,lvms,prompt_registry,ragas,reranks,retrievers,tts,vectorstores,web_retrievers]"
11+
required: true
12+
type: string
13+
tag:
14+
default: "comps"
15+
description: "Tag to apply to images"
16+
required: true
17+
type: string
18+
19+
permissions: read-all
20+
jobs:
21+
get-image-list:
22+
runs-on: ubuntu-latest
23+
outputs:
24+
matrix: ${{ steps.scan-matrix.outputs.matrix }}
25+
steps:
26+
- name: Checkout out Repo
27+
uses: actions/checkout@v4
28+
29+
- name: Set Matrix
30+
id: scan-matrix
31+
run: |
32+
pip install yq
33+
services=($(echo ${{ inputs.services }} | tr ',' ' '))
34+
image_list=[]
35+
for service in ${services[@]}
36+
do
37+
images=$(cat ${{ github.workspace }}/.github/workflows/docker/compose/${service}-compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
38+
image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
39+
done
40+
echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT
41+
42+
scan-license:
43+
needs: get-image-list
44+
runs-on: "docker-build-gaudi"
45+
strategy:
46+
matrix:
47+
image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
48+
fail-fast: false
49+
steps:
50+
- name: Pull Image
51+
run: |
52+
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:latest
53+
# ${{ inputs.tag }}
54+
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
55+
56+
- name: SBOM Scan Container
57+
uses: anchore/[email protected]
58+
if: always()
59+
with:
60+
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
61+
output-file: ${{ matrix.image }}-sbom-scan.txt
62+
format: "spdx-json"
63+
64+
- name: Security Scan Container
65+
uses: aquasecurity/[email protected]
66+
if: always()
67+
with:
68+
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
69+
output: ${{ matrix.image }}-trivy-scan.txt
70+
format: "table"
71+
exit-code: "1"
72+
ignore-unfixed: true
73+
vuln-type: "os,library"
74+
severity: "CRITICAL,HIGH"
75+
76+
- name: Cleanup
77+
if: always()
78+
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
79+
80+
- uses: actions/[email protected]
81+
if: always()
82+
with:
83+
name: sbom-scan
84+
path: ${{ matrix.image }}-sbom-scan.txt
85+
overwrite: true
86+
87+
- uses: actions/[email protected]
88+
if: always()
89+
with:
90+
name: trivy-scan
91+
path: ${{ matrix.image }}-trivy-scan.txt
92+
overwrite: true

comps/__init__.py

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,6 @@
1515
SearchedMultimodalDoc,
1616
RerankedDoc,
1717
TextDoc,
18-
ImageDoc,
19-
TextImageDoc,
2018
RAGASParams,
2119
RAGASScores,
2220
GraphDoc,

0 commit comments

Comments
 (0)