-
Notifications
You must be signed in to change notification settings - Fork 110
[CI/CD][MetroAI][IBVS]Added PR workflow for IBVS and Trivy for Metro-vision. #683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
10b50dc
ibvs pr job.
sowmiar1 f9b8507
fixed sysntax err
sowmiar1 1071255
fixed path issues.
sowmiar1 9fd1167
fix path issues.
sowmiar1 e4b43e3
path issue fix.
sowmiar1 ea88c57
trivy config cmd fix
sowmiar1 36b4a24
fixed DBS scan.
sowmiar1 3183070
added trivy for metro vision.
sowmiar1 91683f7
trivy config for helm.
sowmiar1 53a3d4c
removed test file.
sowmiar1 0932f34
Merge branch 'main' into cicd/metroapps_workflows
sowmiar1 2c31377
Merge branch 'main' into cicd/metroapps_workflows
sowmiar1 db8c24e
Addressed review commends.
sowmiar1 085ae31
added back test file.
sowmiar1 f8697da
trivy filter.
sowmiar1 d0fe45b
added no-cache to build.
sowmiar1 ff31450
Review commends.
sowmiar1 1f5ca80
Merge branch 'main' into cicd/metroapps_workflows
sowmiar1 215909f
Merge branch 'main' into cicd/metroapps_workflows
sowmiar1 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,189 @@ | ||
| name: "[image-based-video-search] PR workflow" | ||
| run-name: "[image-based-video-search] PR workflow (by @${{ github.actor }} via ${{ github.event_name }})" | ||
| on: | ||
| push: | ||
| branches: | ||
| - 'main' | ||
| paths: | ||
| - 'metro-ai-suite/image-based-video-search/**' | ||
| pull_request: | ||
| paths: | ||
| - 'metro-ai-suite/image-based-video-search/**' | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| workflow_call: | ||
| permissions: {} | ||
|
|
||
| jobs: | ||
| Build-DBS-Trivy: | ||
| name: Build IBVS App and run scans DBS, trivy image fs config | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| steps: | ||
| - name: Check out edge-ai-suites repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| path: edge-ai-suites-repo | ||
| - name: Build | ||
| run: | | ||
| cd edge-ai-suites-repo/metro-ai-suite/image-based-video-search | ||
| docker compose build --pull --no-cache | ||
| docker compose up -d | ||
| docker ps | ||
| - name: Checkout docker/docker-bench-security (master) | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: docker/docker-bench-security | ||
| ref: master | ||
| path: docker-bench-security | ||
| persist-credentials: false | ||
|
|
||
| - name: Build Docker Bench Security | ||
| run: | | ||
| cd docker-bench-security | ||
| docker build --no-cache -t docker-bench-security . | ||
| - name: DBS download and scan for Wind Turbine Sample App | ||
| run: | | ||
| cd docker-bench-security | ||
| docker run --rm --net host --pid host --userns host --cap-add audit_control \ | ||
| -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ | ||
| -v /etc:/etc:ro \ | ||
| -v /usr/bin/containerd:/usr/bin/containerd:ro \ | ||
| -v /usr/bin/runc:/usr/bin/runc:ro \ | ||
| -v /usr/lib/systemd:/usr/lib/systemd:ro \ | ||
| -v /var/lib:/var/lib:ro \ | ||
| -v /var/run/docker.sock:/var/run/docker.sock:ro \ | ||
| --label docker_bench_security \ | ||
| docker-bench-security > dbs_scan_ibvs_app.txt | ||
| - name: Upload DBS Scan artifact to Github | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: DBS_Scan_Results | ||
| path: docker-bench-security/dbs_scan_* | ||
| - name: Install Trivy from Aqua Security APT repo | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y gnupg lsb-release wget apt-transport-https curl jq | ||
| curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg | ||
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | \ | ||
| sudo tee /etc/apt/sources.list.d/trivy.list > /dev/null | ||
| sudo apt-get update | ||
| sudo apt-get install -y trivy | ||
| - name: Configure Trivy | ||
| continue-on-error: true | ||
| shell: bash | ||
| run: | | ||
| pwd | ||
| cd edge-ai-suites-repo/metro-ai-suite/image-based-video-search/ | ||
| trivy --version | ||
| which trivy | ||
| trivy image --download-db-only | ||
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl | ||
| cat << 'EOF' > csv.tpl | ||
| {{ range . }} | ||
| Trivy Vulnerability Scan Results ({{- .Target -}}) | ||
| VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information | ||
| {{ range .Vulnerabilities }} | ||
| {{- .VulnerabilityID }}, | ||
| {{- .Severity }}, | ||
| {{- range $key, $value := .CVSS }} | ||
| {{- if (eq $key "nvd") }} | ||
| {{- .V3Score -}} | ||
| {{- end }} | ||
| {{- end }}, | ||
| {{- quote .Title }}, | ||
| {{- quote .PkgName }}, | ||
| {{- quote .InstalledVersion }}, | ||
| {{- quote .FixedVersion }}, | ||
| {{- .PrimaryURL }} | ||
| {{ else -}} | ||
| No vulnerabilities found at this time. | ||
| {{ end }} | ||
| Trivy Dependency Scan Results ({{ .Target }}) | ||
| ID,Name,Version,Notes | ||
| {{ range .Packages -}} | ||
| {{- quote .ID }}, | ||
| {{- quote .Name }}, | ||
| {{- quote .Version }} | ||
| {{ else -}} | ||
| No dependencies found at this time. | ||
| {{ end }} | ||
| {{ end }} | ||
| EOF | ||
|
|
||
| - name: Trivy Image Scans | ||
| run: | | ||
| cd edge-ai-suites-repo/metro-ai-suite/image-based-video-search | ||
| mkdir -p ${{ github.workspace }}/reports/Trivy | ||
| VERSION=$(grep "feature-matching:" compose.yml | awk -F: '{print $3}'| tr -d '[:space:]') | ||
| trivy image intel/feature-matching:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@trivy-html.tpl" -o trivy-image-scan-feature-matching-ignore-unfixed.html | ||
| trivy image intel/feature-matching:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@csv.tpl" -o trivy-image-scan-feature-matching-ignore-unfixed.csv | ||
| trivy image --quiet --format spdx-json --output trivy-image-scan-feature-matching.spdx.json intel/feature-matching:$VERSION | ||
| VERSION=$(grep "streaming-pipeline:" compose.yml | awk -F: '{print $3}'| tr -d '[:space:]') | ||
| trivy image intel/streaming-pipeline:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@trivy-html.tpl" -o trivy-image-scan-streaming-pipeline-ignore-unfixed.html | ||
| trivy image intel/streaming-pipeline:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@csv.tpl" -o trivy-image-scan-streaming-pipeline-ignore-unfixed.csv | ||
| trivy image --quiet --format spdx-json --output trivy-image-scan-streaming-pipeline.spdx.json intel/streaming-pipeline:$VERSION | ||
| VERSION=$(grep "image-based-video-search:" compose.yml | awk -F: '{print $3}'| tr -d '[:space:]') | ||
| trivy image intel/image-based-video-search:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@trivy-html.tpl" -o trivy-image-scan-image-based-video-search-ignore-unfixed.html | ||
| trivy image intel/image-based-video-search:$VERSION -s HIGH,CRITICAL --ignore-unfixed --format template --template "@csv.tpl" -o trivy-image-scan-image-based-video-search-ignore-unfixed.csv | ||
| trivy image --quiet --format spdx-json --output trivy-image-scan-image-based-video-search.spdx.json intel/image-based-video-search:$VERSION | ||
|
|
||
| mv trivy-image* ${{ github.workspace }}/reports/Trivy | ||
|
|
||
| - name: Trivy Config Scan | ||
| run: | | ||
| cd edge-ai-suites-repo/metro-ai-suite/image-based-video-search | ||
| trivy config . -s HIGH,CRITICAL -o trivy-config.txt | ||
| mv trivy-config.txt ${{ github.workspace }}/reports/Trivy | ||
| - name: Trivy FS Scan | ||
| run: | | ||
| cd edge-ai-suites-repo/metro-ai-suite/image-based-video-search | ||
| trivy fs . --format template --template "@trivy-html.tpl" -o "trivy-fs-full-report-code-scan.html" | ||
| trivy fs --list-all-pkgs --format template --template "@csv.tpl" --output trivy-fs-full-report.csv . | ||
| trivy fs -s HIGH,CRITICAL --ignore-unfixed . | tee trivy-fs-full-report-ignore-unfixed.txt | ||
| mv trivy-fs* ${{ github.workspace }}/reports/Trivy | ||
| - name: Upload Trivy Scan Reports | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: Trivy-report | ||
| path: reports/Trivy/ | ||
| virus-bandit-scan: | ||
| name: Run Bandit Virus Scans | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| steps: | ||
| - name: Check out edge-ai-suites repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| path: edge-ai-suites-repo | ||
|
|
||
| - name: Run Virus Scan | ||
| run: | | ||
| mkdir -p reports | ||
| docker pull clamav/clamav | ||
| echo "### Virus Scan Results" >> $GITHUB_STEP_SUMMARY | ||
| docker run --rm -v "${{ github.workspace }}:/src" clamav/clamav clamscan -r /src/edge-ai-suites-repo/metro-ai-suite/image-based-video-search/ > ./reports/clamav-report.txt || true | ||
| echo "Please find full report in clamav-report.txt" >> $GITHUB_STEP_SUMMARY | ||
| - name: Run Bandit Scan | ||
| run: | | ||
| mkdir -p reports | ||
| docker pull ghcr.io/pycqa/bandit/bandit | ||
| echo "### Bandit Scan Results" >> $GITHUB_STEP_SUMMARY | ||
| docker run --rm -v "${{ github.workspace }}:/src" ghcr.io/pycqa/bandit/bandit -r /src/edge-ai-suites-repo/metro-ai-suite/image-based-video-search/ -f txt -o /src/reports/bandit-report.txt || true >> $GITHUB_STEP_SUMMARY | ||
| echo "Please find full report in bandit-report.txt" >> $GITHUB_STEP_SUMMARY | ||
| - name: Upload Scan Reports | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: virus-bandit-report | ||
| path: reports/ | ||
| - name: Clean up | ||
| if: always() | ||
| run: | | ||
| if [ -n "$(docker images -aq)" ]; then | ||
| docker rmi -f $(docker images -aq) || true | ||
| fi | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.