-
Notifications
You must be signed in to change notification settings - Fork 24
147 lines (129 loc) · 4.93 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Scan
#description:
# Daily 4a CVE report
on:
workflow_dispatch:
schedule:
- cron: '0 4 * * *'
jobs:
cancel_outstanding:
name: Detect and cancel outstanding runs of this workflow
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-security-scan') }}
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Cancel Previous Runs
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-cancel') }}
uses: styfle/[email protected]
with:
access_token: ${{ github.token }}
scan_base:
name: Scan base Graphistry container
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-security-scan') }}
runs-on: ubuntu-latest-4-cores
timeout-minutes: 30
env:
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_BUILDKIT: 1
strategy:
matrix:
CUDA_SHORT_VERSION: ['11.8']
steps:
- name: checkout
uses: actions/checkout@v3
- name: version envvars
run: |
echo "VERSION=latest" >> $GITHUB_ENV
echo "CUDA_SHORT_VERSION=${{ matrix.CUDA_SHORT_VERSION }}" >> $GITHUB_ENV
( rm -f CUDA_SHORT_VERSION || echo ok ) && ( echo ${{ matrix.CUDA_SHORT_VERSION }} > CUDA_SHORT_VERSION )
- name: install grype
run: |
sudo docker images
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: scan
env:
DOCKER_IMAGE: graphistry/graphistry-forge-base
DOCKER_IMAGE_SHORT: graphistry-forge-base
VERSION: latest
run: |
grype ${DOCKER_IMAGE}:${VERSION}-${CUDA_SHORT_VERSION} \
--only-fixed \
-o sarif \
> ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
echo "========== SARIF REPORT =========="
cat ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
- name: upload SARIF report
env:
DOCKER_IMAGE: graphistry/graphistry-forge-base
DOCKER_IMAGE_SHORT: graphistry-forge-base
VERSION: latest
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
# category differentiates multiple results for one commit
category: ${DOCKER_IMAGE_SHORT}-${VERSION}-${CUDA_SHORT_VERSION}
- name: fail on fixable severe vulnerabilities
env:
DOCKER_IMAGE: graphistry/graphistry-forge-base
DOCKER_IMAGE_SHORT: graphistry-forge-base
VERSION: latest
run: |
grype ${DOCKER_IMAGE}:${VERSION}-${CUDA_SHORT_VERSION} \
--only-fixed \
--fail-on high \
-o template -t .grype/grype.friendly.tmpl
scan_gak:
name: Scan graph-app-kit container
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-security-scan') }}
runs-on: ubuntu-latest-4-cores
timeout-minutes: 30
env:
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_BUILDKIT: 1
strategy:
matrix:
CUDA_SHORT_VERSION: ['11.8']
steps:
- name: checkout
uses: actions/checkout@v3
- name: version envvars
run: |
echo "VERSION=latest" >> $GITHUB_ENV
echo "CUDA_SHORT_VERSION=${{ matrix.CUDA_SHORT_VERSION }}" >> $GITHUB_ENV
( rm -f CUDA_SHORT_VERSION || echo ok ) && ( echo ${{ matrix.CUDA_SHORT_VERSION }} > CUDA_SHORT_VERSION )
- name: install grype
run: |
sudo docker images
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: scan
env:
DOCKER_IMAGE: graphistry/graphistry-graph-app-kit-st
DOCKER_IMAGE_SHORT: graphistry-graph-app-kit-st
VERSION: latest
run: |
grype ${DOCKER_IMAGE}:${VERSION}-${CUDA_SHORT_VERSION} \
--only-fixed \
-o sarif \
> ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
echo "========== SARIF REPORT =========="
cat ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
- name: upload SARIF report
env:
DOCKER_IMAGE: graphistry/graphistry-graph-app-kit-st
DOCKER_IMAGE_SHORT: graphistry-graph-app-kit-st
VERSION: latest
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${DOCKER_IMAGE_SHORT}-${CUDA_SHORT_VERSION}.json
# category differentiates multiple results for one commit
category: ${DOCKER_IMAGE_SHORT}-${VERSION}-${CUDA_SHORT_VERSION}
- name: fail on fixable severe vulnerabilities
env:
DOCKER_IMAGE: graphistry/graphistry-graph-app-kit-st
DOCKER_IMAGE_SHORT: graphistry-graph-app-kit-st
VERSION: latest
run: |
grype ${DOCKER_IMAGE}:${VERSION}-${CUDA_SHORT_VERSION} \
--only-fixed \
--fail-on high \
-o template -t .grype/grype.friendly.tmpl