edge-ai-libraries/.github/workflows/video-chunking-utils-scan.yml at 650f86416f1ce6f6a123124bbf06626a307316b8 · suryam789/edge-ai-libraries · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: "[Video Chunking Utils] SDLe Scans - Scan Bandit Virus"
run-name: "[Video Chunking Utils] SDLe Scans - Scan Bandit Virus"


# Only run at most 1 workflow concurrently per PR, unlimited for branches
concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

on:
  workflow_call:
  workflow_dispatch:
  schedule:
    - cron: "0 2 * * 0"  # 2 a.m. on Sunday

jobs:
  trivy-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
        with:
          persist-credentials: false

      - name: Run Trivy Filesystem Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
        id: trivy-fs
        with:
          scan_type: "fs"
          scan-scope: "all"
          severity: "HIGH,CRITICAL"
          format: "json"
          scan_target: "libraries/video-chunking-utils/"
          report_suffix: "-fs-video-chunking-utils-CT7"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: trivy-report-video-chunking-utils
          path: security-results/trivy*

  bandit-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709

      - name: Run Bandit Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@27276444a9bcf247a27369406686b689933bd1ff
        id: bandit
        with:
          scan-scope: "all"
          output-format: "txt"
          fail-on-findings: "false"
          paths: "libraries/video-chunking-utils"
          report_suffix: "-bandit-video-chunking-utils-CT161"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: bandit-report-video-chunking-utils
          path: bandit-report-*.txt


  clamav-scan:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709

      - name: Run ClamAV Scan
        uses: open-edge-platform/orch-ci/.github/actions/security/clamav@27276444a9bcf247a27369406686b689933bd1ff
        id: clamav
        with:
          scan-scope: "all"
          output-format: "txt"
          fail-on-findings: "false"
          paths: "libraries/video-chunking-utils"
          exclude_dirs: ".git,tests,.pytest_cache,__pycache__,.venv"

      - name: Upload Report
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
          name: clamav-report-video-chunking-utils
          path: security-results/clamav*


  coverity-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Check out edge-ai-libraries repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #4.2.2
        with:
          persist-credentials: false

      - name: Build with Coverity Analysis
        run: |
          wget --quiet https://scan.coverity.com/download/linux64 \
            --post-data "token=${{ secrets.VCU_COVERITY_TOKEN }}&project=${{ secrets.VCU_COVERITY_PROJECT }}" \
            -O coverity_tool.tgz
          mkdir -p cov-analysis
          tar xzf coverity_tool.tgz --strip-components=1 -C cov-analysis
          COV_PATH="$(pwd)/cov-analysis/bin"
          export PATH="$COV_PATH:$PATH"
          cd libraries/video-chunking-utils
          coverity capture --dir cov-int --project-dir ./

      - name: Create tarball for upload
        run: |
          cd libraries/video-chunking-utils
          tar -czvf coverity_output.tgz -C . cov-int
          # Verify tarball contents
          echo "=== Tarball Contents ==="
          tar tzvf coverity_output.tgz
          echo "=== head ==="
          tar -tzvf coverity_output.tgz | head

      - name: Upload to Coverity Scan
        run: |
          cd libraries/video-chunking-utils
          curl --form token=${{ secrets.VCU_COVERITY_TOKEN }} \
               --form email=${{ secrets.VCU_COVERITY_EMAIL }} \
               --form file=@coverity_output.tgz \
               --form version="`date +%Y%m%d%H%M%S`" \
               --form description="GitHub Action upload" \
               https://scan.coverity.com/builds?project=${{ secrets.VCU_COVERITY_PROJECT }}