edge-ai-suites/.github/workflows/video-processing-for-nvr-scan.yaml at 25f0c996bafd1ed7c954236f55effa084d0cb954 · madhuri-rai07/edge-ai-suites · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: "[VPP] SDLe Scans - Scan Trivy Coverity"
run-name: "[VPP] SDLe Scans - Scan Trivy Coverity"


#Only run at most 1 workflow concurrently per PR, unlimited for branches
concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

on:
  workflow_call:
  workflow_dispatch:
  schedule:
    - cron: "0 2 * * 0"  # 2 a.m. on Sunday

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
        with:
          persist-credentials: false

      - name: Build Docker images
        run: |
          sudo -E wget -O- https://eci.intel.com/sed-repos/gpg-keys/GPG-PUB-KEY-INTEL-SED.gpg | sudo tee /usr/share/keyrings/sed-archive-keyring.gpg > /dev/null
          echo "deb [signed-by=/usr/share/keyrings/sed-archive-keyring.gpg] https://eci.intel.com/sed-repos/$(source /etc/os-release && echo $VERSION_CODENAME) sed main" | sudo tee /etc/apt/sources.list.d/sed.list
          echo "deb-src [signed-by=/usr/share/keyrings/sed-archive-keyring.gpg] https://eci.intel.com/sed-repos/$(source /etc/os-release && echo $VERSION_CODENAME) sed main" | sudo tee -a /etc/apt/sources.list.d/sed.list
          sudo bash -c 'echo -e "Package: *\nPin: origin eci.intel.com\nPin-Priority: 1000" > /etc/apt/preferences.d/sed'
          sudo apt update
          sudo apt install intel-vppsdk
          sudo bash /opt/intel/vppsdk/install_vppsdk_dependencies.sh
          source /opt/intel/vppsdk/env.sh
          cd metro-ai-suite
          cd video-processing-for-nvr/docker
          bash build_sample.sh

      - name: Verify Docker image
        run: |
          echo "=== Built Docker Image ==="
          docker images
          ls
          echo "=== Image Build Verification Complete ==="
      - name: Run Trivy Filesystem Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: trivy-fs
        with:
          scan_type: "fs"
          scan-scope: "all"
          severity: "HIGH,CRITICAL"
          format: "json"
          scan_target: "metro-ai-suite/video-processing-for-nvr/"
          report_suffix: "-fs-vpp-CT7"


      - name: Run trivy Scan - vpp (HTML Report)
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: vpp-html
        with:
          scan_type: "image"
          scan-scope: "all"
          scan_target: "vppsample:latest"
          severity: "HIGH,CRITICAL"
          format: "table"
          report_suffix: "-image-vpp-html-CT248"
          generate_sbom: "false"

      - name: Run trivy Scan - vpp (SPDX SBOM)
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: vpp-spdx
        with:
          scan_type: "image"
          scan-scope: "all"
          scan_target: "vppsample:latest"
          severity: "HIGH,CRITICAL"
          format: "spdx-json"
          scanners: "vuln"
          report_suffix: "-image-vpp-spdx-CT248"
          generate_sbom: "false"

      - name: Scan Dockerfile with Trivy
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        with:
          scan_type: "config"
          scan_target: "metro-ai-suite/video-processing-for-nvr/docker/"
          severity: "HIGH,CRITICAL"
          format: "json"
          misconfig_scanners: "dockerfile"
          report_suffix: "-config-vpp-CT222"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: trivy-report-vpp
          path: security-results/trivy*


  coverity-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Check out edge-ai-libraries repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: install live555
        run: |
          cd metro-ai-suite/video-processing-for-nvr
          bash live555_install.sh

      - name: Build code manually for VPP
        run: |
          sudo -E wget -O- https://eci.intel.com/sed-repos/gpg-keys/GPG-PUB-KEY-INTEL-SED.gpg | sudo tee /usr/share/keyrings/sed-archive-keyring.gpg > /dev/null
          echo "deb [signed-by=/usr/share/keyrings/sed-archive-keyring.gpg] https://eci.intel.com/sed-repos/$(source /etc/os-release && echo $VERSION_CODENAME) sed main" | sudo tee /etc/apt/sources.list.d/sed.list
          echo "deb-src [signed-by=/usr/share/keyrings/sed-archive-keyring.gpg] https://eci.intel.com/sed-repos/$(source /etc/os-release && echo $VERSION_CODENAME) sed main" | sudo tee -a /etc/apt/sources.list.d/sed.list
          sudo bash -c 'echo -e "Package: *\nPin: origin eci.intel.com\nPin-Priority: 1000" > /etc/apt/preferences.d/sed'
          sudo apt update
          sudo apt install intel-vppsdk

          sudo bash /opt/intel/vppsdk/install_vppsdk_dependencies.sh
          source /opt/intel/vppsdk/env.sh

      - name: Build with Coverity Analysis
        run: |
          wget --quiet https://scan.coverity.com/download/linux64 \
            --post-data "token=${{ secrets.VPP_COVERITY_TOKEN }}&project=${{ secrets.VPP_COVERITY_PROJECT }}" \
            -O coverity_tool.tgz
          mkdir cov-analysis
          tar xzf coverity_tool.tgz --strip-components=1 -C cov-analysis
          COV_PATH="$(pwd)/cov-analysis/bin"
          cd metro-ai-suite/video-processing-for-nvr
          $COV_PATH/cov-build --dir cov-int bash build.sh

      - name: Create tarball for upload
        run: |
          cd metro-ai-suite/video-processing-for-nvr
          tar -czvf coverity_output.tgz -C . cov-int
          # Verify tarball contents
          echo "=== Tarball Contents ==="
          tar tzvf coverity_output.tgz
          echo "=== head ==="
          tar -tzvf coverity_output.tgz | head

      - name: Upload to Coverity Scan
        run: |
          cd metro-ai-suite/video-processing-for-nvr
          curl --form token=${{ secrets.VPP_COVERITY_TOKEN }} \
               --form email=${{ secrets.VPP_COVERITY_EMAIL }} \
               --form file=@coverity_output.tgz \
               --form version="`date +%Y%m%d%H%M%S`" \
               --form description="GitHub Action upload" \
               https://scan.coverity.com/builds?project=${{ secrets.VPP_COVERITY_PROJECT }}