-
Notifications
You must be signed in to change notification settings - Fork 110
243 lines (204 loc) · 8.42 KB
/
metro-ai-suite-smart-nvr.yaml
File metadata and controls
243 lines (204 loc) · 8.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
---
# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0
name: "[Smart NVR] SDLe Scans"
run-name: "[Smart NVR] PR workflow (by @${{ github.actor }} via ${{ github.event_name }})"
# Only run at most 1 workflow concurrently per PR, unlimited for branches
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
on:
pull_request:
branches:
- main
paths:
- 'metro-ai-suite/smart-nvr/**'
jobs:
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
with:
persist-credentials: false
- name: Run Trivy Filesystem Scan
uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
id: trivy-fs
with:
scan_type: "fs"
scan-scope: "all"
severity: "HIGH,CRITICAL"
format: "json"
scan_target: "metro-ai-suite/smart-nvr/"
report_suffix: "-CT7"
- name: Build Docker images
run: |
cd metro-ai-suite/smart-nvr/
docker build -t nvr-event-router:latest -f docker/Dockerfile .
- name: Run trivy Scan - nvr-event-router
uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
id: nvr-event-router
with:
scan_type: "image"
scan-scope: all
scan_target: "nvr-event-router:latest"
severity: "HIGH,CRITICAL"
format: "json"
report_suffix: "-CT248"
- name: Scan Dockerfile with Trivy
uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
with:
scan_type: "config"
scan_target: "edge-ai-suites-repo/metro-ai-suite/smart-nvr/docker"
severity: "HIGH,CRITICAL"
format: "json"
misconfig_scanners: "Dockerfile"
report_suffix: "-CT222"
- name: Upload Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: trivy-report
path: security-results/trivy*
bandit-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
- name: Run Bandit Scan
uses: open-edge-platform/orch-ci/.github/actions/security/bandit@27276444a9bcf247a27369406686b689933bd1ff
id: bandit
with:
scan-scope: "all"
output-format: "txt"
fail-on-findings: "false"
paths: "metro-ai-suite/smart-nvr/"
report_suffix: "-CT161"
- name: Upload Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: bandit-report
path: bandit-report-*.txt
clamav-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
- name: Run ClamAV Scan
uses: open-edge-platform/orch-ci/.github/actions/security/clamav@27276444a9bcf247a27369406686b689933bd1ff
id: clamav
with:
scan-scope: "all"
output-format: "txt"
fail-on-findings: "false"
paths: "metro-ai-suite/smart-nvr/"
exclude_dirs: ".git,node_modules,venv,ui/test"
- name: Upload Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: clamav-report
path: security-results/clamav*
# GitLeaks scanning job - matching your existing pattern
gitleaks-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
with:
persist-credentials: false
- name: Install gitleaks
uses: open-edge-platform/orch-ci/.github/actions/bootstrap@5f1c7f544b235db6ded508b6b4c6a2d3a78a38be
with:
bootstrap_tools: "gitleaks"
- name: Get current timestamp
id: timestamp
run: echo "time=$(date +%s)" >> "$GITHUB_OUTPUT"
- name: Clone CI repo
uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
with:
repository: open-edge-platform/orch-ci
path: ci
persist-credentials: false
- name: Scan for secrets
run: |
gitleaks dir "metro-ai-suite/smart-nvr/" -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks-smart-nvr.json -r gitleaks-smart-nvr.json || true
- name: Upload Gitleaks Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: gitleaks-report-smart-nvr-${{ steps.timestamp.outputs.time }}
path: gitleaks-smart-nvr.json
# Python linting with pylint
pylint-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
- name: Setup Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
with:
python-version: '3.12'
- name: Install dependencies and pylint
run: |
pip install pylint
# Install project dependencies if requirements.txt exists
if [ -f "metro-ai-suite/smart-nvr/requirements.txt" ]; then
pip install -r metro-ai-suite/smart-nvr/requirements.txt || true
fi
- name: Run pylint
run: |
mkdir -p security-results
echo "=== Pylint Scan Results ===" > security-results/pylint-report-smart-nvr.txt
echo "Scan Date: $(date)" >> security-results/pylint-report-smart-nvr.txt
echo "" >> security-results/pylint-report-smart-nvr.txt
# Create a basic pylint config
cat > .pylintrc << EOF
[MESSAGES CONTROL]
disable=C0111,C0103,R0903,R0913,W0613,W0622,R0801,R0902,R0914,R0915,R0912,C0301,C0302
[FORMAT]
max-line-length=120
[REPORTS]
output-format=text
reports=yes
EOF
# Find all Python files and lint them
find metro-ai-suite/smart-nvr/ -type f -name "*.py" -exec pylint --rcfile=.pylintrc {} + >> security-results/pylint-report-smart-nvr.txt 2>&1 || true
echo "Pylint scan completed"
- name: Upload pylint Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: pylint-report
path: security-results/pylint-report-smart-nvr.txt
# ShellCheck scanning job
shellcheck-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
- name: Setup environment with shellcheck
uses: open-edge-platform/orch-ci/.github/actions/bootstrap@5f1c7f544b235db6ded508b6b4c6a2d3a78a38be
with:
bootstrap_tools: "shellcheck"
- name: Run ShellCheck
run: |
mkdir -p security-results
echo "=== ShellCheck Scan Results ===" > security-results/shellcheck-report-smart-nvr.txt
echo "Scan Date: $(date)" >> security-results/shellcheck-report-smart-nvr.txt
echo "" >> security-results/shellcheck-report-smart-nvr.txt
# Find all shell scripts and check them
find metro-ai-suite/smart-nvr/ -type f \( -name "*.sh" -o -name "*.bash" \) -print0 | while IFS= read -r -d '' file; do
echo "Checking: $file" >> security-results/shellcheck-report-smart-nvr.txt
shellcheck "$file" >> security-results/shellcheck-report-smart-nvr.txt 2>&1 || true
echo "---" >> security-results/shellcheck-report-smart-nvr.txt
done
echo "ShellCheck scan completed"
- name: Upload ShellCheck Report
uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
with:
name: shellcheck-report
path: security-results/shellcheck-report-smart-nvr.txt