edge-ai-libraries/.github/workflows/vector-retriever-milvus-scans.yaml at main · mihirpatel263/edge-ai-libraries · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: "[Vector retriever Milvus] SDLe Scans"
run-name: "[Vector retriever Milvus] SDLe Scans"


# Only run at most 1 workflow concurrently per PR, unlimited for branches
concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

on:
  workflow_call:
  workflow_dispatch:
  schedule:
    - cron: "0 2 * * 0"  # 2 a.m. on Sunday

jobs:
  trivy-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Build Docker image
        run: |
          ls
          cd microservices
          docker build -t retriever-milvus:latest -f vector-retriever/milvus/src/Dockerfile .

      - name: Verify Docker image
        run: |
          echo "=== Built Docker Image ==="
          docker images
          echo "=== Image Build Verification Complete ==="
      - name: Run Trivy Filesystem Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: trivy-fs
        with:
          scan_type: "fs"
          scan-scope: "all"
          severity: "HIGH,CRITICAL"
          format: "json"
          scan_target: "microservices/vector-retriever/milvus/"
          report_suffix: "-fs-dataprep-visualdata-milvus-CT7"


      - name: Run trivy Scan - retriever-milvus (HTML Report)
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: retriever-milvus-html
        with:
          scan_type: "image"
          scan-scope: "all"
          scan_target: "retriever-milvus:latest"
          severity: "HIGH,CRITICAL"
          format: "table"
          report_suffix: "-image-retriever-milvus-html-CT248"
          generate_sbom: "false"

      - name: Run trivy Scan - retriever-milvus (SPDX SBOM)
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: retriever-milvus-spdx
        with:
          scan_type: "image"
          scan-scope: "all"
          scan_target: "retriever-milvus:latest"
          severity: "HIGH,CRITICAL"
          format: "spdx-json"
          scanners: "vuln"
          report_suffix: "-image-retriever-milvus-spdx-CT248"
          generate_sbom: "false"

      - name: Scan Dockerfile with Trivy
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        with:
          scan_type: "config"
          scan_target: "microservices/vector-retriever/milvus/src/"
          severity: "HIGH,CRITICAL"
          format: "json"
          misconfig_scanners: "dockerfile"
          report_suffix: "-config-retriever-milvus-CT222"

      - name: Upload Report
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: trivy-report-retriever-milvus
          path: security-results/trivy*

  bandit-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run Bandit Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@27276444a9bcf247a27369406686b689933bd1ff
        id: bandit
        with:
          scan-scope: "all"
          output-format: "txt"
          fail-on-findings: "false"
          paths: "microservices/vector-retriever/milvus"
          report_suffix: "-bandit-retriever-milvus-CT161"

      - name: Upload Report
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: bandit-report-retriever-milvus
          path: bandit-report-*.txt


  clamav-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run ClamAV Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/clamav@27276444a9bcf247a27369406686b689933bd1ff
        id: clamav
        with:
          scan-scope: "all"
          output-format: "txt"
          fail-on-findings: "false"
          paths: "microservices/vector-retriever/milvus"
          exclude_dirs: ".git,tests,.pytest_cache,__pycache__,.venv"

      - name: Upload Report
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: clamav-report-retriever-milvus
          path: security-results/clamav*