Enterprise-Inference/.github/workflows/code-scans.yaml at b6e700a4e3095fe3a7167ee1751a136119270dc8 · opea-project/Enterprise-Inference · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: SDLE Scans

on:
  workflow_dispatch:
    inputs:
      PR_number:
        description: 'Pull request number'
        required: true
  push:
    branches: [ main ]
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

concurrency:
  group: sdle-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:

# -----------------------------
# 1) Trivy Scan
# -----------------------------
  trivy_scan:
    name: Trivy Vulnerability Scan
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4

      - name: Create report directory
        run: mkdir -p trivy-reports

      - name: Install Trivy
        run: |
          # Check if trivy is already installed
          if ! command -v trivy &> /dev/null; then
            wget -qO- https://github.com/aquasecurity/trivy/releases/download/v0.55.0/trivy_0.55.0_Linux-64bit.tar.gz | tar -xzv -C /tmp
            sudo mv /tmp/trivy /usr/local/bin/
          fi
          trivy --version

      - name: Run Trivy FS Scan
        continue-on-error: true
        run: |
          trivy fs . \
            --scanners vuln,misconfig,secret \
            --severity CRITICAL,HIGH \
            --format table \
            --output trivy-reports/trivy_scan_report.txt

      - name: Run Trivy Image Scan - vllm-cpu
        continue-on-error: true
        run: |
          trivy image \
            --severity HIGH,CRITICAL \
            --format table \
            --output trivy-reports/trivy-vllm-cpu.txt \
            public.ecr.aws/q9t5s3a7/vllm-cpu-release-repo:v0.10.2 || \
          echo "Image scan skipped - image not available locally" > trivy-reports/trivy-vllm-cpu.txt

      - name: Upload Trivy Reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: trivy-reports
          path: trivy-reports/

      - name: Show Trivy FS Report in Logs
        if: always()
        run: |
          echo "========= TRIVY FS SCAN FINDINGS ========="
          cat trivy-reports/trivy_scan_report.txt || echo "No FS scan report found"
          echo "=========================================="

# -----------------------------
# 2) Bandit Scan
# -----------------------------
  bandit_scan:
    name: Bandit security scan
    runs-on: self-hosted
    steps:
    - name: Checkout
      uses: actions/checkout@v4
      with:
        submodules: 'recursive'
        fetch-depth: 0
    - uses: actions/setup-python@v5
      with:
        python-version: "3.x"
    - name: Install Bandit
      run: pip install bandit
    - name: Create Bandit configuration
      run: |
        cat > .bandit << 'EOF'
        [bandit]
        exclude_dirs = tests,test,venv,.venv,node_modules
        skips = B101
        EOF
      shell: bash
    - name: Run Bandit scan
      run: |
        bandit -r . -ll -iii -f screen
        bandit -r . -ll -iii -f html -o bandit-report.html
    - name: Upload Bandit Report
      uses: actions/upload-artifact@v4
      with:
        name: bandit-report
        path: bandit-report.html
        retention-days: 30
# -----------------------------
# 3) ShellCheck Scan
# -----------------------------
  shellcheck_scan:
    name: ShellCheck script analysis
    runs-on: self-hosted
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4

      - name: Create report directory
        run: mkdir -p shellcheck-reports

      - name: Install ShellCheck
        run: |
          # Check if shellcheck is already installed
          if ! command -v shellcheck &> /dev/null; then
            wget -qO- "https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz" | tar -xJv
            sudo cp shellcheck-stable/shellcheck /usr/local/bin/
            rm -rf shellcheck-stable
          fi
          shellcheck --version

      - name: Find shell scripts
        id: find_scripts
        run: |
          SCRIPT_COUNT=$(find . -type f -name "*.sh" ! -path "./.git/*" | wc -l)
          echo "Shell scripts found: $SCRIPT_COUNT"
          echo "script_count=$SCRIPT_COUNT" >> $GITHUB_OUTPUT

      - name: Run ShellCheck
        if: steps.find_scripts.outputs.script_count > 0
        continue-on-error: true
        run: |
          echo "ShellCheck Analysis Report" > shellcheck-reports/shellcheck-report.txt
          echo "==========================" >> shellcheck-reports/shellcheck-report.txt
          echo "" >> shellcheck-reports/shellcheck-report.txt

          find . -type f -name "*.sh" ! -path "./.git/*" | while read -r script; do
            echo "Checking: $script" >> shellcheck-reports/shellcheck-report.txt
            shellcheck -f gcc "$script" >> shellcheck-reports/shellcheck-report.txt 2>&1 || true
            echo "" >> shellcheck-reports/shellcheck-report.txt
          done

          cat shellcheck-reports/shellcheck-report.txt

      - name: Create empty report if no scripts
        if: steps.find_scripts.outputs.script_count == 0
        run: |
          echo "ShellCheck Analysis Report" > shellcheck-reports/shellcheck-report.txt
          echo "No shell scripts found to analyze." >> shellcheck-reports/shellcheck-report.txt

      - name: Upload ShellCheck Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: shellcheck-report
          path: shellcheck-reports/shellcheck-report.txt