edge-ai-suites/.github/workflows/education-suite-scan.yaml at main · bhardwaj-nakul/edge-ai-suites · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
---
# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: "Education-Suite-CI"
run-name: "[Education-Suite-CI] PR  workflow (by @${{ github.actor }} via ${{ github.event_name }})"


# Only run at most 1 workflow concurrently per PR, unlimited for branches
concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

on:
  pull_request:
    branches:
      - main
    paths:
      - 'education-ai-suite/**'

jobs:

  trivy-scan:
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
        with:
          persist-credentials: false

      - name: Run Trivy Filesystem Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@a416220a0f87725196093a638e0186286ac4a953
        id: trivy-fs
        with:
          scan_type: "fs"
          scan-scope: "all"
          severity: "HIGH,CRITICAL"
          format: "json"
          scan_target: "education-ai-suite/"
          report_suffix: "-fs-education-ai-suite-trivy"

      - name: Run trivy Scan - education-suite (SPDX SBOM)
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@a416220a0f87725196093a638e0186286ac4a953
        id: videosummary-frontend-spdx
        with:
          scan_type: "fs"
          scan-scope: "all"
          scan_target: "education-ai-suite/"
          severity: "HIGH,CRITICAL"
          format: "spdx-json"
          scanners: "vuln"
          report_suffix: "-education-ai-suite-spdx-trivy"
          generate_sbom: "true"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: trivy-report-video-summary
          path: security-results/trivy*

  bandit-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709

      - name: Run Bandit Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@27276444a9bcf247a27369406686b689933bd1ff
        id: bandit
        with:
          scan-scope: "all"
          output-format: "txt"
          fail-on-findings: "false"
          paths: "education-ai-suite/smart-classroom"
          report_suffix: "-bandit-education-ai-suite"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: bandit-education-ai-suite
          path: bandit-report-*.txt