[metro-vision-ai-app-recipe] PR workflow (by @ajagadi1 via pull_request) #472
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[metro-vision-ai-app-recipe] PR workflow" | |
| run-name: "[metro-vision-ai-app-recipe] PR workflow (by @${{ github.actor }} via ${{ github.event_name }})" | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| paths: | |
| - 'metro-ai-suite/metro-vision-ai-app-recipe/**' | |
| pull_request: | |
| paths: | |
| - 'metro-ai-suite/metro-vision-ai-app-recipe/**' | |
| workflow_call: | |
| permissions: {} | |
| jobs: | |
| virus-scan: | |
| name: Run Virus Scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Check out edge-ai-suites repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #4.2.2 | |
| with: | |
| persist-credentials: false | |
| path: edge-ai-suites-repo | |
| - name: Run Virus Scan | |
| run: | | |
| mkdir -p reports | |
| docker pull clamav/clamav | |
| echo "### Virus Scan Results" >> $GITHUB_STEP_SUMMARY | |
| docker run --rm -v ${{ github.workspace }}:/src clamav/clamav clamscan -r /src/edge-ai-suites-repo/metro-ai-suite/metro-vision-ai-app-recipe/ > ./reports/clamav-report.txt || true | |
| echo "Please find full report in clamav-report.txt" >> $GITHUB_STEP_SUMMARY | |
| - name: Upload Scan Reports | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: virus-report | |
| path: reports/ | |
| - name: Clean up | |
| if: always() | |
| run: | | |
| rm -rf edge-ai-suites-repo | |
| if [ -n "$(docker images -aq)" ]; then | |
| docker rmi -f $(docker images -aq) || true | |
| fi | |
| shellcheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out edge-ai-suites repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #4.2.2 | |
| with: | |
| persist-credentials: false | |
| path: edge-ai-suites-repo | |
| - name: Install ShellCheck | |
| run: sudo apt-get update && sudo apt-get install -y shellcheck | |
| - name: Run ShellCheck | |
| run: | | |
| cd edge-ai-suites-repo/metro-ai-suite/metro-vision-ai-app-recipe/ | |
| echo "Scanning for .sh files and running ShellCheck..." | |
| find . -type f -name "*.sh" | tee shell_files.txt | xargs -r shellcheck -f gcc > shellcheck_report.txt || true | |
| echo "### ShellCheck Results" >> $GITHUB_STEP_SUMMARY | |
| echo "Please find ShellCheck report in shellcheck_report.txt" >> $GITHUB_STEP_SUMMARY | |
| cp shellcheck_report.txt ${{ github.workspace }} | |
| - name: Upload ShellCheck report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: shellcheck-report | |
| path: shellcheck_report.txt | |
| trivy-config-helm-scan: | |
| permissions: | |
| contents: read | |
| packages: read # needed for actions/checkout | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Install Trivy from Aqua Security APT repo | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gnupg lsb-release wget apt-transport-https curl jq | |
| curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | \ | |
| sudo tee /etc/apt/sources.list.d/trivy.list > /dev/null | |
| sudo apt-get update | |
| sudo apt-get install -y trivy | |
| - name: Download Trivy Vulnerability DB and Report Format | |
| continue-on-error: true | |
| shell: bash | |
| run: | | |
| pwd | |
| cd metro-ai-suite/metro-vision-ai-app-recipe/ | |
| trivy --version | |
| which trivy | |
| trivy image --download-db-only | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl | |
| cat << 'EOF' > csv.tpl | |
| {{ range . }} | |
| Trivy Vulnerability Scan Results ({{- .Target -}}) | |
| VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information | |
| {{ range .Vulnerabilities }} | |
| {{- .VulnerabilityID }}, | |
| {{- .Severity }}, | |
| {{- range $key, $value := .CVSS }} | |
| {{- if (eq $key "nvd") }} | |
| {{- .V3Score -}} | |
| {{- end }} | |
| {{- end }}, | |
| {{- quote .Title }}, | |
| {{- quote .PkgName }}, | |
| {{- quote .InstalledVersion }}, | |
| {{- quote .FixedVersion }}, | |
| {{- .PrimaryURL }} | |
| {{ else -}} | |
| No vulnerabilities found at this time. | |
| {{ end }} | |
| Trivy Dependency Scan Results ({{ .Target }}) | |
| ID,Name,Version,Notes | |
| {{ range .Packages -}} | |
| {{- quote .ID }}, | |
| {{- quote .Name }}, | |
| {{- quote .Version }} | |
| {{ else -}} | |
| No dependencies found at this time. | |
| {{ end }} | |
| {{ end }} | |
| EOF | |
| - name: Trivy config scan for helm charts | |
| run: | | |
| cd metro-ai-suite/metro-vision-ai-app-recipe/ | |
| trivy config . --format table -s HIGH,CRITICAL -o trivy-helm.txt | |
| - name: Upload Scan artifact to Github | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Trivy Report - Config scan for Helm | |
| path: metro-ai-suite/metro-vision-ai-app-recipe/trivy-helm.txt |