jandres/GenAIExamples
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
6a705ad3d47982488f5d47684374caf5cf906d94
GenAIExamples/.github/workflows/manual-bom-scan.yml
Abolfazl Shahbazi 6f3e54a22a Always upload scan artifacts (#680) 
Signed-off-by: Abolfazl Shahbazi <abolfazl.shahbazi@intel.com>
2024-08-29 09:35:47 +08:00

90 lines
2.8 KiB
YAML
Raw Blame History

# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: Examples docker images BoM scan on manual event
on:
workflow_dispatch:
inputs:
node:
default: "gaudi"
description: "Hardware to run test"
required: true
type: string
examples:
default: "ChatQnA"
description: 'List of examples to test [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]'
required: true
type: string
tag:
default: "latest"
description: "Tag to apply to images"
required: true
type: string
permissions: read-all
jobs:
get-image-list:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.scan-matrix.outputs.matrix }}
steps:
- name: Checkout out Repo
uses: actions/checkout@v4
- name: Set Matrix
id: scan-matrix
run: |
pip install yq
examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
image_list=[]
for example in ${examples[@]}
do
images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
done
echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT
scan-license:
needs: get-image-list
runs-on: "docker-build-${{ inputs.node }}"
strategy:
matrix:
image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
fail-fast: false
steps:
- name: Pull Image
run: |
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
- name: SBOM Scan Container
uses: anchore/sbom-action@v0.17.1
if: always()
with:
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output-file: ${{ matrix.image }}-sbom-scan.txt
format: 'spdx-json'
- name: Security Scan Container
uses: aquasecurity/trivy-action@0.24.0
if: always()
with:
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output: ${{ matrix.image }}-trivy-scan.txt
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Cleanup
if: always()
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
- uses: actions/upload-artifact@v4.3.4
if: always()
with:
name: ${{ matrix.image }}-scan
path: ${{ matrix.image }}-*-scan.txt
overwrite: true
Reference in New Issue View Git Blame Copy Permalink