Manual - Docker Scan (SBOM and CVE) #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2024 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Manual - Docker Scan (SBOM and CVE) | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| node: | |
| default: "xeon" | |
| description: "Hardware to run scan" | |
| required: true | |
| type: string | |
| tag: | |
| default: "latest" | |
| description: "Tag for images to scan" | |
| required: true | |
| type: string | |
| # sbom_scan: | |
| # default: true | |
| # description: 'Scan images for BoM' | |
| # required: false | |
| # type: boolean | |
| trivy_scan: | |
| default: true | |
| description: 'Scan images for CVE' | |
| required: false | |
| type: boolean | |
| permissions: read-all | |
| jobs: | |
| clean-workspace: | |
| runs-on: "docker-build-${{ inputs.node }}" | |
| steps: | |
| - name: Clean up Working Directory | |
| run: | | |
| sudo rm -rf ${{github.workspace}}/* || true | |
| # docker system prune -f | |
| manual-docker-scan: | |
| needs: clean-workspace | |
| runs-on: "docker-build-${{ inputs.node }}" | |
| strategy: | |
| matrix: | |
| image: ["studio-frontend", "studio-backend", "app-frontend", "app-backend"] | |
| fail-fast: false | |
| max-parallel: 2 | |
| steps: | |
| - name: Pull Image | |
| run: | | |
| docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV | |
| env: | |
| HTTP_PROXY: ${{ env.http_proxy }} | |
| HTTPS_PROXY: ${{ env.https_proxy }} | |
| NO_PROXY: ${{ env.no_proxy }} | |
| # - name: SBOM Scan Container | |
| # uses: anchore/[email protected] | |
| # if: ${{ inputs.sbom_scan }} | |
| # with: | |
| # image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| # output-file: ${{ matrix.image }}-sbom-scan.txt | |
| # format: 'spdx-json' | |
| # env: | |
| # HTTP_PROXY: ${{ env.http_proxy }} | |
| # HTTPS_PROXY: ${{ env.https_proxy }} | |
| # FTP_PROXY: ${{ env.ftp_proxy }} | |
| # NO_PROXY: ${{ env.no_proxy }} | |
| - name: Security Scan Container | |
| uses: aquasecurity/[email protected] | |
| if: ${{ inputs.trivy_scan }} | |
| with: | |
| image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} | |
| output: ${{ matrix.image }}-trivy-scan.txt | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| env: | |
| HTTP_PROXY: ${{ env.http_proxy }} | |
| HTTPS_PROXY: ${{ env.https_proxy }} | |
| NO_PROXY: ${{ env.no_proxy }} | |
| - name: Cleanup | |
| if: always() | |
| run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true | |
| - name: Collect Logs | |
| if: always() | |
| run: | | |
| mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} | |
| mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} | |
| upload-artifacts: | |
| needs: manual-docker-scan | |
| runs-on: "docker-build-${{ inputs.node }}" | |
| if: always() | |
| steps: | |
| - name: Upload SBOM Artifacts | |
| uses: actions/[email protected] | |
| with: | |
| name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }} | |
| path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt | |
| overwrite: true | |
| - name: Upload Trivy Artifacts | |
| uses: actions/[email protected] | |
| with: | |
| name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }} | |
| path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt | |
| overwrite: true | |
| - name: Remove Logs | |
| run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-* |