Add Scan Container. (#560)

Signed-off-by: zepan <ze.pan@intel.com>
opea-project · Aug 30, 2024 · 0d49244 · 0d49244
1 parent 5fb4a38
commit 0d49244
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 2 deletions.
diff --git a/.github/workflows/manual-bom-scan.yml b/.github/workflows/manual-bom-scan.yml
@@ -0,0 +1,92 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Comps docker images BoM scan on manual event
+on:
+  workflow_dispatch:
+    inputs:
+      services:
+        default: "asr"
+        description: "List of services to test [agent_langchain,asr,chathistory_mongo,dataprep_milvus...]" #,embeddings,guardrails,knowledgegraphs,llms,lvms,prompt_registry,ragas,reranks,retrievers,tts,vectorstores,web_retrievers]"
+        required: true
+        type: string
+      tag:
+        default: "comps"
+        description: "Tag to apply to images"
+        required: true
+        type: string
+
+permissions: read-all
+jobs:
+  get-image-list:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.scan-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout out Repo
+        uses: actions/checkout@v4
+
+      - name: Set Matrix
+        id: scan-matrix
+        run: |
+          pip install yq
+          services=($(echo ${{ inputs.services }} | tr ',' ' '))
+          image_list=[]
+          for service in ${services[@]}
+          do
+              images=$(cat ${{ github.workspace }}/.github/workflows/docker/compose/${service}-compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.')
+              image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images}))
+          done
+          echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT
+
+  scan-license:
+    needs: get-image-list
+    runs-on: "docker-build-gaudi"
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.get-image-list.outputs.matrix) }}
+      fail-fast: false
+    steps:
+      - name: Pull Image
+        run: |
+          docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:latest
+          # ${{ inputs.tag }}
+          echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
+
+      - name: SBOM Scan Container
+        uses: anchore/sbom-action@v0.17.1
+        if: always()
+        with:
+          image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output-file: ${{ matrix.image }}-sbom-scan.txt
+          format: "spdx-json"
+
+      - name: Security Scan Container
+        uses: aquasecurity/trivy-action@0.24.0
+        if: always()
+        with:
+          image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
+          output: ${{ matrix.image }}-trivy-scan.txt
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+
+      - name: Cleanup
+        if: always()
+        run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
+
+      - uses: actions/upload-artifact@v4.3.4
+        if: always()
+        with:
+          name: sbom-scan
+          path: ${{ matrix.image }}-sbom-scan.txt
+          overwrite: true
+
+      - uses: actions/upload-artifact@v4.3.4
+        if: always()
+        with:
+          name: trivy-scan
+          path: ${{ matrix.image }}-trivy-scan.txt
+          overwrite: true
diff --git a/comps/__init__.py b/comps/__init__.py
@@ -15,8 +15,6 @@
     SearchedMultimodalDoc,
     RerankedDoc,
     TextDoc,
-    ImageDoc,
-    TextImageDoc,
     RAGASParams,
     RAGASScores,
     GraphDoc,