forked from open-edge-platform/edge-ai-suites
-
Notifications
You must be signed in to change notification settings - Fork 0
156 lines (140 loc) · 5.93 KB
/
spineapp_pull_request.yaml
File metadata and controls
156 lines (140 loc) · 5.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: "[industrial-edge-insights-vision] PR workflow"
run-name: "[industrial-edge-insights-vision] PR workflow (by @${{ github.actor }} via ${{ github.event_name }})"
on:
push:
branches:
- 'main'
paths:
- 'manufacturing-ai-suite/industrial-edge-insights-vision/**'
pull_request:
paths:
- 'manufacturing-ai-suite/industrial-edge-insights-vision/**'
workflow_dispatch:
workflow_call:
permissions: {}
jobs:
virus-scan:
name: Run Virus Scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- name: Check out edge-ai-suites repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
path: edge-ai-suites-repo
- name: Run Virus Scan
run: |
mkdir -p reports
docker pull clamav/clamav
echo "### Virus Scan Results" >> $GITHUB_STEP_SUMMARY
docker run --rm -v "${{ github.workspace }}:/src" clamav/clamav clamscan -r /src/edge-ai-suites/manufacturing-ai-suite/industrial-edge-insights-vision/ > ./reports/clamav-report.txt || true
echo "Please find full report in clamav-report.txt" >> $GITHUB_STEP_SUMMARY
- name: Upload Scan Reports
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
with:
name: virus-report
path: reports/
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Check out edge-ai-suites repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
path: edge-ai-suites-repo
- name: Install ShellCheck
run: sudo apt-get update && sudo apt-get install -y shellcheck
- name: Run ShellCheck
run: |
cd edge-ai-suites-repo/manufacturing-ai-suite/industrial-edge-insights-vision/
echo "Scanning for .sh files and running ShellCheck..."
find . -type f -name "*.sh" | tee shell_files.txt | xargs -r shellcheck -f gcc > shellcheck_report.txt || true
echo "### ShellCheck Results" >> $GITHUB_STEP_SUMMARY
echo "Please find ShellCheck report in shellcheck_report.txt" >> $GITHUB_STEP_SUMMARY
cp shellcheck_report.txt ${{ github.workspace }}
- name: Upload ShellCheck report
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
with:
name: shellcheck-report
path: shellcheck_report.txt
trivy-config-helm-scan:
permissions:
contents: read
packages: read # needed for actions/checkout
runs-on: ubuntu-24.04
steps:
- name: Checkout Code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Install Trivy from Aqua Security APT repo
run: |
sudo apt-get update
sudo apt-get install -y gnupg lsb-release wget apt-transport-https curl jq
curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/trivy.list > /dev/null
sudo apt-get update
sudo apt-get install -y trivy
- name: Download Trivy Vulnerability DB and Report Format
continue-on-error: true
shell: bash
run: |
pwd
cd manufacturing-ai-suite/industrial-edge-insights-vision/
trivy --version
which trivy
trivy image --download-db-only
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl
cat << 'EOF' > csv.tpl
{{ range . }}
Trivy Vulnerability Scan Results ({{- .Target -}})
VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information
{{ range .Vulnerabilities }}
{{- .VulnerabilityID }},
{{- .Severity }},
{{- range $key, $value := .CVSS }}
{{- if (eq $key "nvd") }}
{{- .V3Score -}}
{{- end }}
{{- end }},
{{- quote .Title }},
{{- quote .PkgName }},
{{- quote .InstalledVersion }},
{{- quote .FixedVersion }},
{{- .PrimaryURL }}
{{ else -}}
No vulnerabilities found at this time.
{{ end }}
Trivy Dependency Scan Results ({{ .Target }})
ID,Name,Version,Notes
{{ range .Packages -}}
{{- quote .ID }},
{{- quote .Name }},
{{- quote .Version }}
{{ else -}}
No dependencies found at this time.
{{ end }}
{{ end }}
EOF
- name: Trivy config scan for helm charts
run: |
cd manufacturing-ai-suite/industrial-edge-insights-vision/helm
sed -i "s/username:*/username: user/g" values.yaml
sed -i "s/password:*/password: password/g" values.yaml
trivy config . >> trivy-Spineapp-helm.txt
- name: Upload Scan artifact to Github
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
with:
name: Trivy Report - Config scan for Helm
path: manufacturing-ai-suite/industrial-edge-insights-vision/helm/trivy-Spineapp-helm.txt
sanity:
uses: ./.github/workflows/spineapp_sanity.yaml
with:
branch: ${{ github.head_ref }}
secrets: inherit
permissions:
contents: read
packages: write