SDLE code scanning done using Self hosted runner #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SDLE Scans | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| PR_number: | |
| description: 'Pull request number' | |
| required: true | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| concurrency: | |
| group: sdle-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ----------------------------- | |
| # 1) Trivy Scan (fixed) | |
| # ----------------------------- | |
| trivy_scan: | |
| name: Trivy Vulnerability Scan | |
| runs-on: self-hosted | |
| env: | |
| TRIVY_REPORT_FORMAT: table | |
| TRIVY_SCAN_TYPE: fs | |
| TRIVY_SCAN_PATH: . | |
| TRIVY_EXIT_CODE: '1' | |
| TRIVY_VULN_TYPE: os,library | |
| TRIVY_SEVERITY: CRITICAL,HIGH | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create report directory | |
| run: mkdir -p trivy-reports | |
| - name: Run Trivy FS Scan | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scan-scope: "all" | |
| scanners: 'vuln,misconfig,secret,license' | |
| ignore-unfixed: true | |
| format: 'table' | |
| exit-code: '1' | |
| output: 'trivy-reports/trivy_scan_report.txt' | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Run trivy Scan - vllm-cpu | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| id: vllm-cpu-html | |
| with: | |
| scan-type: "image" | |
| image-ref: "public.ecr.aws/q9t5s3a7/vllm-cpu-release-repo:v0.10.2" | |
| severity: "HIGH,CRITICAL" | |
| scanners: 'vuln,misconfig,secret,license' | |
| format: "table" | |
| output: "trivy-reports/trivy-vllm-cpu.txt" | |
| - name: Run trivy Scan - vllm-gaudi | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| id: vllm-gaudi-html | |
| with: | |
| scan-type: "image" | |
| image-ref: "opea/vllm-gaudi:1.22.0" | |
| severity: "HIGH,CRITICAL" | |
| format: "table" | |
| scanners: 'vuln,misconfig,secret,license' | |
| output: "trivy-reports/trivy-vllm-gaudi.txt" | |
| - name: Upload Trivy Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-report | |
| path: trivy-reports/trivy_scan_report.txt | |
| - name: Show Trivy Report in Logs | |
| if: failure() | |
| run: | | |
| echo "========= TRIVY FINDINGS =========" | |
| cat trivy-reports/trivy_scan_report.txt | |
| echo "=================================" | |
| # ----------------------------- | |
| # 2) Bandit Scan | |
| # ----------------------------- | |
| bandit_scan: | |
| name: Bandit security scan | |
| runs-on: self-hosted | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: 'recursive' | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Bandit | |
| run: pip install bandit | |
| - name: Create Bandit configuration | |
| run: | | |
| cat > .bandit << 'EOF' | |
| [bandit] | |
| exclude_dirs = tests,test,venv,.venv,node_modules | |
| skips = B101 | |
| EOF | |
| shell: bash | |
| - name: Run Bandit scan | |
| run: | | |
| bandit -r . -ll -iii -f screen | |
| bandit -r . -ll -iii -f html -o bandit-report.html | |
| - name: Upload Bandit Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: bandit-report.html | |
| retention-days: 30 | |
| # ----------------------------- | |
| # 2) Clamav Scan | |
| # ----------------------------- | |
| clamav-scan: | |
| runs-on: self-hosted | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create report directory | |
| run: mkdir -p clamav-reports | |
| - name: Run ClamAV Scan using Docker | |
| id: clamav | |
| continue-on-error: true | |
| run: | | |
| # Pull ClamAV Docker image | |
| docker pull clamav/clamav:latest | |
| # Run ClamAV scan in container | |
| docker run --rm \ | |
| -v ${{ github.workspace }}:/scan:ro \ | |
| -v ${{ github.workspace }}/clamav-reports:/reports \ | |
| clamav/clamav:latest \ | |
| clamscan -r \ | |
| --exclude-dir=".git" \ | |
| --exclude-dir="tests" \ | |
| --exclude-dir=".pytest_cache" \ | |
| --exclude-dir="__pycache__" \ | |
| --exclude-dir=".venv" \ | |
| --exclude-dir="node_modules" \ | |
| /scan | tee /reports/clamav_scan_report.txt || true | |
| # Alternatively, if Docker pull fails, skip ClamAV scan | |
| if [ $? -ne 0 ]; then | |
| echo "ClamAV scan skipped due to installation/network issues" > clamav-reports/clamav_scan_report.txt | |
| echo "Status: Skipped" >> clamav-reports/clamav_scan_report.txt | |
| echo "Reason: Unable to install or run ClamAV on this runner" >> clamav-reports/clamav_scan_report.txt | |
| fi | |
| - name: Upload Report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: clamav-report | |
| path: clamav-reports/clamav_scan_report.txt |