jandres/GenAIExamples
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
GenAIExamples/.github/workflows/pr-code-scan.yml
VincyZhang 736155ca95 Detect dangerous command (#1179) 
Signed-off-by: Wenxin Zhang <wenxin.zhang@intel.com>
2024-11-27 11:43:56 +08:00

67 lines
2.1 KiB
YAML
Raw Permalink Blame History

# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Code Scan
on:
pull_request:
branches: [main]
types: [opened, reopened, ready_for_review, synchronize] # added `ready_for_review` since draft is skipped
paths-ignore:
- "**.md"
workflow_dispatch:
# If there is a new commit, the previous jobs will be canceled
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
DOCKER_CONFIG_NAME: "commonDockerConfig"
REPO_NAME: "code-scan"
REPO_TAG: "1.0"
DOCKER_FILE_NAME: "code-scan"
CONTAINER_NAME: "code-scan"
jobs:
code-scan:
runs-on: ubuntu-latest
strategy:
matrix:
job_name: ["bandit", "hadolint"]
fail-fast: false
steps:
- name: Checkout out Repo
uses: actions/checkout@v4
- name: Check Dangerous Command Injection
uses: opea-project/validation/actions/check-cmd@main
with:
work_dir: ${{ github.workspace }}
- name: Docker Build
run: |
docker build -f ${{ github.workspace }}/.github/workflows/docker/${{ env.DOCKER_FILE_NAME }}.dockerfile -t ${{ env.REPO_NAME }}:${{ env.REPO_TAG }} .
- name: Docker Run
run: |
if [[ $(docker ps -a | grep -i '${{ env.CONTAINER_NAME }}'$) ]]; then
docker stop ${{ env.CONTAINER_NAME }}
docker rm -vf ${{ env.CONTAINER_NAME }} || true
fi
docker run -dit --memory="4g" --memory-reservation="1g" --disable-content-trust --privileged --name=${{ env.CONTAINER_NAME }} --shm-size="1g" \
-v ${{ github.workspace }}:/GenAIExamples \
${{ env.REPO_NAME }}:${{ env.REPO_TAG }}
- name: Code scan check
run: |
docker exec ${{ env.CONTAINER_NAME }} \
bash -c "bash /GenAIExamples/.github/workflows/scripts/codeScan/${{ matrix.job_name }}.sh"
- name: Publish pipeline artifact
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.job_name }}
path: ${{ github.workspace }}/.github/workflows/scripts/codeScan/${{ matrix.job_name }}.*
Reference in New Issue View Git Blame Copy Permalink