|
| 1 | +# Copyright (C) 2024 Intel Corporation |
| 2 | +# SPDX-License-Identifier: Apache-2.0 |
| 3 | + |
| 4 | +name: Comps docker images BoM scan on manual event |
| 5 | +on: |
| 6 | + workflow_dispatch: |
| 7 | + inputs: |
| 8 | + services: |
| 9 | + default: "asr" |
| 10 | + description: "List of services to test [agent_langchain,asr,chathistory_mongo,dataprep_milvus...]" #,embeddings,guardrails,knowledgegraphs,llms,lvms,prompt_registry,ragas,reranks,retrievers,tts,vectorstores,web_retrievers]" |
| 11 | + required: true |
| 12 | + type: string |
| 13 | + tag: |
| 14 | + default: "comps" |
| 15 | + description: "Tag to apply to images" |
| 16 | + required: true |
| 17 | + type: string |
| 18 | + |
| 19 | +permissions: read-all |
| 20 | +jobs: |
| 21 | + get-image-list: |
| 22 | + runs-on: ubuntu-latest |
| 23 | + outputs: |
| 24 | + matrix: ${{ steps.scan-matrix.outputs.matrix }} |
| 25 | + steps: |
| 26 | + - name: Checkout out Repo |
| 27 | + uses: actions/checkout@v4 |
| 28 | + |
| 29 | + - name: Set Matrix |
| 30 | + id: scan-matrix |
| 31 | + run: | |
| 32 | + pip install yq |
| 33 | + services=($(echo ${{ inputs.services }} | tr ',' ' ')) |
| 34 | + image_list=[] |
| 35 | + for service in ${services[@]} |
| 36 | + do |
| 37 | + images=$(cat ${{ github.workspace }}/.github/workflows/docker/compose/${service}-compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.') |
| 38 | + image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images})) |
| 39 | + done |
| 40 | + echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT |
| 41 | +
|
| 42 | + scan-license: |
| 43 | + needs: get-image-list |
| 44 | + runs-on: "docker-build-gaudi" |
| 45 | + strategy: |
| 46 | + matrix: |
| 47 | + image: ${{ fromJson(needs.get-image-list.outputs.matrix) }} |
| 48 | + fail-fast: false |
| 49 | + steps: |
| 50 | + - name: Pull Image |
| 51 | + run: | |
| 52 | + docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:latest |
| 53 | + # ${{ inputs.tag }} |
| 54 | + echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV |
| 55 | +
|
| 56 | + - name: SBOM Scan Container |
| 57 | + |
| 58 | + if: always() |
| 59 | + with: |
| 60 | + image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} |
| 61 | + output-file: ${{ matrix.image }}-sbom-scan.txt |
| 62 | + format: "spdx-json" |
| 63 | + |
| 64 | + - name: Security Scan Container |
| 65 | + uses: aquasecurity/[email protected] |
| 66 | + if: always() |
| 67 | + with: |
| 68 | + image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} |
| 69 | + output: ${{ matrix.image }}-trivy-scan.txt |
| 70 | + format: "table" |
| 71 | + exit-code: "1" |
| 72 | + ignore-unfixed: true |
| 73 | + vuln-type: "os,library" |
| 74 | + severity: "CRITICAL,HIGH" |
| 75 | + |
| 76 | + - name: Cleanup |
| 77 | + if: always() |
| 78 | + run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} |
| 79 | + |
| 80 | + |
| 81 | + if: always() |
| 82 | + with: |
| 83 | + name: sbom-scan |
| 84 | + path: ${{ matrix.image }}-sbom-scan.txt |
| 85 | + overwrite: true |
| 86 | + |
| 87 | + |
| 88 | + if: always() |
| 89 | + with: |
| 90 | + name: trivy-scan |
| 91 | + path: ${{ matrix.image }}-trivy-scan.txt |
| 92 | + overwrite: true |
0 commit comments