SeldonIO · domsolutions · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
@@ -38,13 +38,30 @@ jobs:
           USER_INPUT="${{ github.event.inputs.docker-tag }}"
           echo "value=${USER_INPUT:-latest}" >> $GITHUB_OUTPUT
 
-
       - name: Build and push
         working-directory: ./operator/
         env:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build docker-push
+          TAG="$(make show_image)"
+          echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV
+          echo "Operator tag: SELDON_OPERATOR_IMG"
+
+      - name: Monitor docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest' }}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_OPERATOR_IMG }}
+          command: monitor
+          args:  --app-vulns --severity-threshold=high --file=operator/Dockerfile
+
+      - name: Free up space by removing the Docker Builder caches
+        run: docker builder prune -af
 
   executor:
     runs-on: ubuntu-latest
@@ -71,6 +88,24 @@ jobs:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build docker-push
+          TAG="$(make show_image)"
+          echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV
+          echo "Executor tag: $SELDON_EXECUTOR_IMG"
+
+      - name: Monitor docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest'}}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_EXECUTOR_IMG }}
+          command: monitor
+          args:  --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor
+
+      - name: Free up space by removing the Docker Builder caches
+        run: docker builder prune -af
 
   rclone-storage-initializer:
     runs-on: ubuntu-latest
@@ -96,6 +131,24 @@ jobs:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build docker-push
+          TAG="$(make show_image)"
+          echo "SELDON_RCLONE_IMG=$TAG" >> $GITHUB_ENV
+          echo "Rclone tag: $SELDON_RCLONE_IMG"
+
+      - name: Monitor docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest'}}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_RCLONE_IMG }}
+          command: monitor
+          args:  --app-vulns --severity-threshold=high --file=./components/rclone-storage-initializer/Dockerfile
+
+      - name: Free up space by removing the Docker Builder caches
+        run: docker builder prune -af
 
   s2i-wrapper:
     runs-on: ubuntu-latest
@@ -124,6 +177,22 @@ jobs:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build-conda-base docker-push-conda-base
+          TAG="$(make show_conda_image)"
+          echo "SELDON_CONDA_IMG=$TAG" >> $GITHUB_ENV
+          echo "Conda tag: $SELDON_CONDA_IMG"
+
+      - name: Monitor (Conda base) docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest'}}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_CONDA_IMG }}
+          command: monitor
+          args:  --app-vulns --severity-threshold=high --file=./wrappers/s2i/python/Dockerfile.conda
+
 
       - name: Build and push (Base Wrapper)
         working-directory: ./wrappers/s2i/python
@@ -133,6 +202,22 @@ jobs:
           make docker-build docker-push PYTHON_VERSION=3.12.12
           make docker-tag-base-python docker-push-base-python PYTHON_VERSION=3.12.12
           docker save -o /tmp/base-wrapper.tar seldonio/seldon-core-s2i-python312:${VERSION}
+          TAG="$(make show_python_wrapper_image)"
+          echo "PYTHON_BASE_WRAPPER_IMG=$TAG" >> $GITHUB_ENV
+          echo "Python base wrapper tag: $PYTHON_BASE_WRAPPER_IMG"
+
+      - name: Monitor (base wrapper) docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest'}}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.PYTHON_BASE_WRAPPER_IMG }}
+          command: monitor
+          args:  --app-vulns --severity-threshold=high --file=./wrappers/s2i/python/Dockerfile
+
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -156,6 +241,13 @@ jobs:
         - examples/models/mean_classifier
         - testing/docker/echo-model
     steps:
+      - name: Free up disk space (android, haskell, dotnet)
+        run: |
+            sudo rm -rf /usr/local/lib/android || true
+            sudo rm -rf /opt/ghc || true
+            sudo rm -rf /usr/share/dotnet || true
+            df -h
+
       - name: Checkout Git Commit
         uses: actions/checkout@v4
 
@@ -204,3 +296,24 @@ jobs:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build docker-push
+          TAG="$(make show_image)"
+          echo "IMG_TAG=$TAG" >> $GITHUB_ENV
+          echo "${{ matrix.server }} image tag: $IMG_TAG"
+
+      - name: Remove docker image to make disk space
+        run: |
+          docker rmi ${{ env.IMG_TAG }} 
+          docker builder prune -af
+          du -sh /home/runner/actions-runner/cached/*/
+
+      - name: Monitor docker image for CVEs
+        # only want to monitor images which we have set a release tag for
+        if: ${{ github.event.inputs.docker-tag != '' && github.event.inputs.docker-tag != 'latest'}}
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.IMG_TAG }}
+          command: monitor
+          args: --debug --log-level=trace --app-vulns --severity-threshold=high
diff --git a/components/alibi-detect-server/Makefile b/components/alibi-detect-server/Makefile
@@ -14,6 +14,11 @@ get_local_repo: clean
 	cp $(SELDON_CORE_DIR)/version.txt version.txt
 	cp -R "$(SELDON_CORE_DIR)/python/." _seldon_core/
 
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE}:${VERSION}
+
+
 clean:
 	rm version.txt || true
 	rm -rf _seldon_core || true

diff --git a/components/alibi-explain-server/Makefile b/components/alibi-explain-server/Makefile
@@ -68,6 +68,11 @@ redhat-image-scan:
 clean:
 	rm -rf test_models
 
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE}:${VERSION}
+
+
 #
 # Test Tabular Explanations
 #

diff --git a/components/rclone-storage-initializer/Makefile b/components/rclone-storage-initializer/Makefile
@@ -26,3 +26,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_TAG}
diff --git a/components/routers/epsilon-greedy/Makefile b/components/routers/epsilon-greedy/Makefile
@@ -10,3 +10,8 @@ docker-push:
 
 kind_load: docker-build
 	kind load -v 3 docker-image ${IMAGE_NAME}:${VERSION} --name ${KIND_NAME}
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
+
diff --git a/examples/models/mean_classifier/Makefile b/examples/models/mean_classifier/Makefile
@@ -32,3 +32,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_BASE}:${VERSION}
diff --git a/executor/Makefile b/executor/Makefile
@@ -24,6 +24,10 @@ fmt:
 vet:
 	go vet ./...
 
+.PHONY:show_image
+show_image:
+	 @echo ${SELDON_EXECUTOR_IMG}
+
 
 # Build manager binary
 executor: copy_operator fmt vet

diff --git a/operator/Makefile b/operator/Makefile
@@ -24,10 +24,6 @@ endif
 #SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
-.PHONY:show_image
-show_image:
-	echo ${SELDON_OPERATOR_IMG}
-
 all: manager
 
 .PHONY: lint
@@ -277,6 +273,10 @@ opm_index:
 	opm index add -c docker --bundles quay.io/seldon/seldon-operator:v${VERSION} --mode replaces --tag quay.io/seldon/test-catalog:latest
 
 
+.PHONY:show_image
+show_image:
+	 @echo ${SELDON_OPERATOR_IMG}
+
 opm_push:
 	docker push quay.io/seldon/test-catalog:latest
 

diff --git a/servers/mlflowserver/Makefile b/servers/mlflowserver/Makefile
@@ -32,3 +32,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
diff --git a/servers/sklearnserver/Makefile b/servers/sklearnserver/Makefile
@@ -32,3 +32,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
diff --git a/servers/tfserving_proxy/Makefile b/servers/tfserving_proxy/Makefile
@@ -32,3 +32,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
diff --git a/servers/xgboostserver/Makefile b/servers/xgboostserver/Makefile
@@ -32,3 +32,7 @@ redhat-image-scan:
 	docker push quay.io/redhat-isv-containers/${project}:${VERSION}
 	source ~/.config/seldon/seldon-core/redhat-image-passwords.sh && \
 		preflight check container quay.io/redhat-isv-containers/${project}:${VERSION} --docker-config=${HOME}/.docker/config.json --certification-project-id=${project} --pyxis-api-token=$${pyxis_api_token} --submit
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
diff --git a/testing/docker/echo-model/Makefile b/testing/docker/echo-model/Makefile
@@ -15,3 +15,8 @@ docker-push:
 
 kind_load_image: docker-build
 	kind load -v 3 docker-image ${IMAGE_BASE}:${VERSION} --name ${KIND_NAME}
+
+
+.PHONY:show_image
+show_image:
+	 @echo ${IMAGE_BASE}:${VERSION}
diff --git a/wrappers/s2i/python/Makefile b/wrappers/s2i/python/Makefile
@@ -26,6 +26,15 @@ get_local_repo:
 	cp ../../../version.txt version.txt
 	cp -r $(SELDON_CORE_DIR)/python _python
 
+.PHONY:show_conda_image
+show_conda_image:
+	 @echo ${CONDA_BASE_IMAGE}:${VERSION}
+
+
+.PHONY:show_python_wrapper_image
+show_python_wrapper_image:
+	 @echo ${IMAGE_NAME}:${VERSION}
+
 
 # Building Conda Base
 docker-build-conda-base: