Merge pull request #53 from trustyai-explainability/main

[pull] main from trustyai-explainability:main

Author: ruivieira

.github/actions/test-setup/action.yaml

@@ -0,0 +1,95 @@
+name: 'Test Setup'
+description: 'Common setup for detector test workflows'
+
+inputs:
+  component_name:
+    description: 'Name of the component being tested (for caching)'
+    required: true
+  requirements_files:
+    description: 'Space-separated list of requirements files to install'
+    required: true
+  precommit_paths:
+    description: 'Space-separated list of paths to check with pre-commit'
+    required: false
+    default: ''
+  python_version:
+    description: 'Python version to use'
+    required: false
+    default: '3.11'
+  needs_system_deps:
+    description: 'Whether to install system dependencies (build-essential, wget)'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python ${{ inputs.python_version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python_version }}
+
+    - name: Generate cache key
+      id: cache-key
+      shell: bash
+      run: |
+        # Create a hash of all requirements files for cache key
+        CACHE_KEY="${{ runner.os }}-pip-${{ inputs.component_name }}-"
+        for file in ${{ inputs.requirements_files }}; do
+          if [ -f "$file" ]; then
+            CACHE_KEY="${CACHE_KEY}$(sha256sum $file | cut -d' ' -f1)-"
+          fi
+        done
+        echo "cache_key=${CACHE_KEY%%-}" >> $GITHUB_OUTPUT
+        echo "cache_restore_keys=${{ runner.os }}-pip-${{ inputs.component_name }}-" >> $GITHUB_OUTPUT
+
+    - name: Cache pip dependencies
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/pip
+        key: ${{ steps.cache-key.outputs.cache_key }}
+        restore-keys: |
+          ${{ steps.cache-key.outputs.cache_restore_keys }}
+          ${{ runner.os }}-pip-
+
+    - name: Install system dependencies
+      if: inputs.needs_system_deps == 'true'
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends \
+          build-essential \
+          wget
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        # Install test dependencies
+        pip install pytest-cov
+        # Install component-specific requirements
+        for file in ${{ inputs.requirements_files }}; do
+          if [ -f "$file" ]; then
+            echo "Installing requirements from $file"
+            pip install -r "$file"
+          else
+            echo "Warning: Requirements file $file not found"
+          fi
+        done
+
+    - name: Set Python path
+      shell: bash
+      run: |
+        echo "PYTHONPATH=$GITHUB_WORKSPACE/detectors/huggingface:$GITHUB_WORKSPACE/detectors/llm_judge:$GITHUB_WORKSPACE/detectors:$GITHUB_WORKSPACE" >> $GITHUB_ENV
+
+    - name: Lint with pre-commit (if available)
+      if: inputs.precommit_paths != ''
+      shell: bash
+      run: |
+        if [ -f .pre-commit-config.yaml ]; then
+          # Run pre-commit on specified paths
+          find ${{ inputs.precommit_paths }} -name '*.py' 2>/dev/null | xargs -r pre-commit run --files
+        else
+          echo "No pre-commit config found, skipping linting"
+        fi
+      continue-on-error: true

.github/workflows/build-and-push.yaml

@@ -1,25 +1,46 @@
 name: Build and Push - Detectors
 on:
+  # Trigger on successful test completion
+  workflow_run:
+    workflows:
+      - "Tier 1 - Built-in detectors unit tests"
+      - "Tier 1 - Hugging Face Runtime unit tests"
+      - "Tier 1 - LLM Judge unit tests"
+    types:
+      - completed
+
+  # Direct triggers (tests will run in parallel)
   push:
     branches:
       - main
+      - incubation
+      - stable
     tags:
       - v*
     paths:
       - 'detectors/*'
       - '.github/workflows/*'
-  pull_request_target:
+  pull_request:
     paths:
       - 'detectors/*'
     types: [labeled, opened, synchronize, reopened]
 jobs:
   # Ensure that tests pass before publishing a new image.
   build-and-push-ci:
+    # Only run if:
+    # 1. Running in the trustyai-explainability/guardrails-detectors repository, AND
+    # 2. Tests completed successfully on target branches (from workflow_run trigger), OR
+    # 3. Direct push/PR trigger (tests will run in parallel)
+    if: |
+      github.repository == 'trustyai-explainability/guardrails-detectors' &&
+      ((github.event_name == 'workflow_run' &&
+        github.event.workflow_run.conclusion == 'success' &&
+        contains(fromJSON('["main", "incubation", "stable"]'), github.event.workflow_run.head_branch)) ||
+       (github.event_name != 'workflow_run'))
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
-      security-events: write
     env:
       PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
       GITHUB_REF_NAME: ${{ github.ref_name }}
@@ -44,12 +65,15 @@ jobs:
           mode: minimum
           count: 1
           labels: "ok-to-test, lgtm, approved"
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: env.BUILD_CONTEXT == 'ci'
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/checkout@v3
+          persist-credentials: false
+      - uses: actions/checkout@v4
         if: env.BUILD_CONTEXT == 'main' ||  env.BUILD_CONTEXT == 'tag'
+        with:
+          persist-credentials: false
       #
       # Print variables for debugging
       - name: Log reference variables
@@ -129,51 +153,3 @@ jobs:
             📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA`
             📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA`
             📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA`
-      - name: Trivy scan
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'MEDIUM,HIGH,CRITICAL'
-          exit-code: '0'
-          ignore-unfixed: false
-          vuln-type: 'os,library'
-      - name: Trivy scan, built-in image
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: "${{ env.BUILTIN_IMAGE_NAME }}:${{ env.TAG }}"
-          format: 'sarif'
-          output: 'trivy-results-built-in.sarif'
-          severity: 'MEDIUM,HIGH,CRITICAL'
-          exit-code: '0'
-          ignore-unfixed: false
-          vuln-type: 'os,library'
-      - name: Trivy scan, LLM Judge image
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}"
-          format: 'sarif'
-          output: 'trivy-results-llm-judge.sarif'
-          severity: 'MEDIUM,HIGH,CRITICAL'
-          exit-code: '0'
-          ignore-unfixed: false
-          vuln-type: 'os,library'
-      - name: Update Security tab - Huggingface
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
-          category: huggingface
-      - name: Update Security tab - Built-in
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results-built-in.sarif'
-          category: built-in
-      - name: Update Security tab - LLM Judge
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results-llm-judge.sarif'
-          category: llm-judge

.github/workflows/security-scan.yaml

@@ -0,0 +1,159 @@
+name: Tier 1 - Security scan
+
+on:
+  push:
+    branches: [ main, incubation, stable ]
+    paths:
+      - 'detectors/**'
+      - 'requirements*.txt'
+      - '*.py'
+      - '.github/workflows/security-scan.yaml'
+
+  pull_request:
+    branches: [ main, incubation, stable ]
+    paths:
+      - 'detectors/**'
+      - 'requirements*.txt'
+      - '*.py'
+      - '.github/workflows/security-scan.yaml'
+
+  # Manual trigger for security scans
+  workflow_dispatch:
+
+  # Scheduled security scans
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly on Mondays at 2 AM UTC
+
+jobs:
+  filesystem-security-scan:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    strategy:
+      matrix:
+        component:
+          - name: "builtin-detectors"
+            path: "detectors/built_in"
+          - name: "huggingface-runtime"
+            path: "detectors/huggingface"
+          - name: "llm-judge"
+            path: "detectors/llm_judge"
+          - name: "common"
+            path: "detectors/common"
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Log scan parameters
+      run: |
+        echo "Scanning filesystem path: ${{ matrix.component.path }}"
+        echo "Component: ${{ matrix.component.name }}"
+
+    - name: Run Trivy vulnerability scanner (filesystem)
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '${{ matrix.component.path }}'
+        format: 'sarif'
+        output: 'trivy-results-${{ matrix.component.name }}.sarif'
+        severity: 'MEDIUM,HIGH,CRITICAL'
+        exit-code: '0'
+        scanners: 'vuln,secret'
+
+    - name: Run Trivy configuration scanner
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'config'
+        scan-ref: '${{ matrix.component.path }}'
+        hide-progress: false
+        format: 'sarif'
+        output: 'trivy-config-${{ matrix.component.name }}.sarif'
+        exit-code: '0'
+      continue-on-error: true
+
+    - name: Upload vulnerability scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results-${{ matrix.component.name }}.sarif'
+        category: '${{ matrix.component.name }}-vulnerabilities'
+
+    - name: Upload configuration scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: hashFiles(format('trivy-config-{0}.sarif', matrix.component.name)) != ''
+      with:
+        sarif_file: 'trivy-config-${{ matrix.component.name }}.sarif'
+        category: '${{ matrix.component.name }}-config'
+
+    - name: Generate human-readable vulnerability report
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '${{ matrix.component.path }}'
+        format: 'table'
+        output: 'trivy-report-${{ matrix.component.name }}.txt'
+        severity: 'HIGH,CRITICAL'
+        exit-code: '0'
+        scanners: 'vuln,secret'
+
+    - name: Upload scan artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: security-scan-${{ matrix.component.name }}
+        path: |
+          trivy-results-${{ matrix.component.name }}.sarif
+          trivy-config-${{ matrix.component.name }}.sarif
+          trivy-report-${{ matrix.component.name }}.txt
+        retention-days: 30
+
+  # Scan the entire repository root for additional security issues
+  repository-security-scan:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Run Trivy repository scan
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-repository-results.sarif'
+        severity: 'HIGH,CRITICAL'
+        exit-code: '0'
+        scanners: 'vuln,secret'
+
+    - name: Upload repository scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-repository-results.sarif'
+        category: 'repository-wide-security'
+
+    - name: Generate repository security report
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'table'
+        output: 'trivy-repository-report.txt'
+        severity: 'HIGH,CRITICAL'
+        exit-code: '0'
+        scanners: 'vuln,secret'
+
+    - name: Upload repository scan artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: security-scan-repository
+        path: |
+          trivy-repository-results.sarif
+          trivy-repository-report.txt
+        retention-days: 30