diff --git a/.github/workflows/security_code_tests_v1.yml b/.github/workflows/security_code_tests_v1.yml index 63062f5959..e22b0d5f23 100644 --- a/.github/workflows/security_code_tests_v1.yml +++ b/.github/workflows/security_code_tests_v1.yml @@ -4,54 +4,53 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] + # TODO remove release-1.19.0-prep before merge to master + branches: + - master + - release-1.19.0-prep workflow_dispatch: jobs: security-python: runs-on: ubuntu-latest - container: snyk/snyk:python-3.8 + container: snyk/snyk:python-3.12-preview steps: - - uses: actions/checkout@v2 - - name: security-python - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: | - pip install -e python/. - snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high + - uses: actions/checkout@v4 + - name: security-python + # NOTE: [all] installs tensorflow as well as an extra + run: | + pip install -e python/.[all] + snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} security-operator: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: security-operator - # NOTE: We use the Snyk action (instead of the Snyk base image) so that - # it respects the Go version we use. - uses: snyk/actions/golang@master - with: - args: --fail-on=upgradable - --severity-threshold=high - --file=operator/go.mod - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-go@v3 + with: + go-version: '1.24.7' + - name: security-operator + run: snyk test --file=operator/go.mod --fail-on=upgradable --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} security-executor: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: snyk/actions/setup@master - - uses: actions/setup-go@v3 - with: - go-version: '^1.24.7' - - name: Set up executor's environment - # NOTE: The executor needs a couple extra steps before we can build it, - # like copying the operator's package into the executor's folder so that - # it's accessible. - run: make -C executor/ executor - - name: security-executor - run: snyk test \ - --fail-on=upgradable - --severity-threshold=high - --file=executor/go.mod - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-go@v3 + with: + go-version: '1.24.7' + - name: Set up executor's environment + # NOTE: The executor needs a couple extra steps before we can build it, + # like copying the operator's package into the executor's folder so that + # it's accessible. + run: make -C executor/ executor + - name: security-executor + run: snyk test --file=executor/go.mod --fail-on=upgradable --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/security_tests_go_v1.yml b/.github/workflows/security_tests_go_v1.yml new file mode 100644 index 0000000000..a0cbc7e242 --- /dev/null +++ b/.github/workflows/security_tests_go_v1.yml @@ -0,0 +1,82 @@ +name: V1 Security Tests Go Images + +on: + push: + branches: [ master ] + pull_request: + # TODO remove release-1.19.0-prep before merge to master + branches: + - master + - release-1.19.0-prep + workflow_dispatch: + +jobs: + image-executor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Generate and set docker image tag + run: | + TAG="executor-test-$(date +%s)-$(openssl rand -hex 4)" + echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV + echo "Generated tag: SELDON_EXECUTOR_IMG" + - name: Build docker image + working-directory: ./executor/ + env: + VERSION: ${{ steps.docker-tag.outputs.value }} + run: | + make docker-build + - name: Scan docker image for CVEs + uses: snyk/actions/docker@master + continue-on-error: false + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SELDON_EXECUTOR_IMG }} + args: --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor --fail-on=upgradable + + image-operator: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Generate and set docker image tag + run: | + TAG="operator-test-$(date +%s)-$(openssl rand -hex 4)" + echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV + echo "Generated tag: SELDON_OPERATOR_IMG" + - name: Build docker image + working-directory: ./operator/ + env: + VERSION: ${{ steps.docker-tag.outputs.value }} + run: | + make docker-build + - name: Scan docker image for CVEs + uses: snyk/actions/docker@master + continue-on-error: false + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SELDON_OPERATOR_IMG }} + args: --app-vulns --severity-threshold=high --file=operator/Dockerfile --fail-on=upgradable + + image-rclone-storage-initializer: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build (rclone initializer) + working-directory: ./components/rclone-storage-initializer + run: | + export RCLONE_IMAGE_TAG="sec-tests.io/rclone-$(date +%s)-$(openssl rand -hex 4):test" + echo "RCLONE_IMAGE_TAG=$RCLONE_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_TAG=$RCLONE_IMAGE_TAG docker-build + - name: Scan rclone + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.RCLONE_IMAGE_TAG }} + args: --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile --fail-on=upgradable diff --git a/.github/workflows/security_tests_python_v1.yml b/.github/workflows/security_tests_python_v1.yml new file mode 100644 index 0000000000..3df07ead89 --- /dev/null +++ b/.github/workflows/security_tests_python_v1.yml @@ -0,0 +1,305 @@ +name: V1 Security Tests Python Images + +on: + push: + branches: [ master ] + pull_request: + # TODO remove release-1.19.0-prep before merge to master + branches: + - master + - release-1.19.0-prep + workflow_dispatch: +jobs: + build-upload-scan-base-images: + runs-on: ubuntu-latest + outputs: + python_base_image_tag: ${{ steps.export-docker-tag.outputs.python_base_image_tag }} + conda_base_image_tag: ${{ steps.export-docker-tag.outputs.conda_base_image_tag }} + steps: + - uses: actions/checkout@v4 + + - name: Free up disk space (android, haskell, dotnet) + run: | + sudo rm -rf /usr/local/lib/android || true + sudo rm -rf /opt/ghc || true + sudo rm -rf /usr/share/dotnet || true + df -h + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # Build and scan the Conda base image + - name: Generate and set docker Conda image tag + id: export-docker-tag + run: | + TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)" + echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV + TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)" + echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV + + echo "conda_base_image_tag=$TAG_CONDA" >> $GITHUB_OUTPUT + echo "python_base_image_tag=$TAG_PYTHON" >> $GITHUB_OUTPUT + + echo "Generated Conda Base Image tag: $CONDA_BASE_IMAGE" + echo "Generated Python Wrapper Image tag: $PYTHON_BASE_IMAGE" + - name: Build (Conda Base Image) + working-directory: ./wrappers/s2i/python + run: | + make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base + docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test + - name: Scan Conda image + id: scan-conda + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.CONDA_BASE_IMAGE}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda + + - name: Save Snyk result for Conda image to file + run: echo "conda_RESULT=${{ steps.scan-conda.outcome }}" > "report-conda.txt" + + - name: Upload file + uses: actions/upload-artifact@v4 + with: + name: report-conda + path: report-conda.txt + + # Build and scan the Python Wrapper base image + - name: Build (Base Wrapper) + working-directory: ./wrappers/s2i/python + run: | + make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.12.12 CONDA_VERSION=25.3.1 BASE_IMAGE=$${{ env.CONDA_BASE_IMAGE }} + docker save -o /tmp/python-wrapper-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test + - name: Scan Python base image + id: scan-python-base + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.PYTHON_BASE_IMAGE}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Save Snyk result for Python Wrapper image to file + run: echo "python_wrapper_RESULT=${{ steps.scan-python-base.outcome }}" > "report-python-wrapper.txt" + + - name: Upload file + uses: actions/upload-artifact@v4 + with: + name: report-python-wrapper + path: report-python-wrapper.txt + + - name: Upload Conda base image + uses: actions/upload-artifact@v4 + with: + name: conda-base-image + path: /tmp/conda-image.tar + + - name: Upload Python Wrapper image + uses: actions/upload-artifact@v4 + with: + name: python-wrapper-image + path: /tmp/python-wrapper-image.tar + + build-servers: + needs: build-upload-scan-base-images + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + server: + - tfserving_proxy + - sklearnserver + - mlflowserver + - xgboostserver + steps: + - uses: actions/checkout@v4 + + # Download Conda base image + - uses: actions/download-artifact@v4 + with: + name: conda-base-image + # Download Python Wrapper image + - uses: actions/download-artifact@v4 + with: + name: python-wrapper-image + - name: Load images + run: | + docker load -i conda-image.tar + docker load -i python-wrapper-image.tar + + - name: Remove tarballs + run: rm -f conda-image.tar python-wrapper-image.tar + + - name: Install s2i CLI - needed for building the server images + uses: redhat-actions/openshift-tools-installer@v1 + with: + github_pat: ${{ github.token }} + source: "github" + s2i: "latest" + + - name: Build server + id: build-server + working-directory: ./servers/${{ matrix.server }} + run: | + export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)" + echo "SERVER_IMAGE_TAG=$SERVER_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE_NAME=$SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.python_base_image_tag }}:test docker-build + - name: Scan + id: scan + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.SERVER_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Save scan output to file + run: echo "${{ matrix.server }}_RESULT=${{ steps.scan.outcome }}" > "report-${{ matrix.server }}.txt" + + - name: Upload file + uses: actions/upload-artifact@v4 + with: + name: report-${{ matrix.server }} + path: report-${{ matrix.server }}.txt + + build-alibi-explain: + needs: build-upload-scan-base-images + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Free up disk space (android, haskell, dotnet) + run: | + sudo rm -rf /usr/local/lib/android || true + sudo rm -rf /opt/ghc || true + sudo rm -rf /usr/share/dotnet || true + df -h + + # Download Conda base image + - uses: actions/download-artifact@v4 + with: + name: conda-base-image + - name: Load images + run: docker load -i conda-image.tar + + - name: Remove tarballs + run: rm -f conda-image.tar + + - name: Build Alibi Explain + id: build-alibi-explain + working-directory: ./components/alibi-explain-server + run: | + export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)" + echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.conda_base_image_tag }} docker-build + + - name: Free space by removing the Conda Base Docker image + run: docker rmi ${{ needs.build-upload-scan-base-images.outputs.conda_base_image_tag }}:test + + - name: Free up space by removing the Docker Builder caches + run: docker builder prune -af + + - name: Scan alibi explain + id: scan-alibi-explain + if: steps.build-alibi-explain.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Save scan output to file + run: echo "alibi_explain_RESULT=${{ steps.scan-alibi-explain.outcome }}" > "report-alibi-explain.txt" + + - name: Upload file + uses: actions/upload-artifact@v4 + with: + name: report-alibi-explain + path: report-alibi-explain.txt + + build-alibi-detect: + needs: build-upload-scan-base-images + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Free up disk space (android, haskell, dotnet) + run: | + sudo rm -rf /usr/local/lib/android || true + sudo rm -rf /opt/ghc || true + sudo rm -rf /usr/share/dotnet || true + df -h + + # Download Conda base image + - uses: actions/download-artifact@v4 + with: + name: conda-base-image + - name: Load image + run: docker load -i conda-image.tar + + - name: Remove tarballs + run: rm -f conda-image.tar + + - name: Build Alibi Detect + id: build-alibi-detect + working-directory: ./components/alibi-detect-server + run: | + export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)" + echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV + make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.conda_base_image_tag }} docker-build + + - name: Free space by removing the Conda Base Docker image + run: docker rmi ${{ needs.build-upload-scan-base-images.outputs.conda_base_image_tag }}:test + + - name: Free up space by removing the Docker Builder caches + run: docker builder prune -af + + - name: Scan alibi detect + id: scan-alibi-detect + if: steps.build-alibi-detect.outcome == 'success' + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test + args: --fail-on=upgradable --app-vulns --severity-threshold=high + + - name: Save scan output to file + run: echo "alibi_detect_RESULT=${{ steps.scan-alibi-detect.outcome }}" > "report-alibi-detect.txt" + + - name: Upload file + uses: actions/upload-artifact@v4 + with: + name: report-alibi-detect + path: report-alibi-detect.txt + + verify-scans: + needs: [ build-upload-scan-base-images, build-servers, build-alibi-explain, build-alibi-detect] + runs-on: ubuntu-latest + if: always() + + steps: + - name: Download Snyk results for servers + uses: actions/download-artifact@v4 + with: + pattern: report-* + merge-multiple: true + + - name: Fail if any scan failed + run: | + echo "Checking scan results..." + + cat report-* > combined.txt + cat combined.txt + + if grep -q "failure" combined.txt; then + echo "A component reported failure" + exit 1 + fi \ No newline at end of file diff --git a/.github/workflows/security_tests_v1.yml b/.github/workflows/security_tests_v1.yml deleted file mode 100644 index b835881d31..0000000000 --- a/.github/workflows/security_tests_v1.yml +++ /dev/null @@ -1,310 +0,0 @@ -name: V1 Security Tests - -on: - push: - branches: [ master ] - pull_request: - # TODO revert before merge to master - branches: [ release-1.19.0-prep ] - workflow_dispatch: - -env: - GOLANG_VERSION: 1.20.9 - -jobs: - python: - runs-on: ubuntu-latest - container: snyk/snyk:python-3.8 - steps: - - uses: actions/checkout@v2 - - name: security-python - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: | - pip install -e python/. - snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high - - image-executor: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Generate and set docker image tag - run: | - TAG="executor-test-$(date +%s)-$(openssl rand -hex 4)" - echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV - echo "Generated tag: SELDON_EXECUTOR_IMG" - - name: Build docker image - working-directory: ./executor/ - env: - VERSION: ${{ steps.docker-tag.outputs.value }} - run: | - make docker-build - - name: Scan docker image for CVEs - uses: snyk/actions/docker@master - continue-on-error: false - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.SELDON_EXECUTOR_IMG }} - args: --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor - - image-operator: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Generate and set docker image tag - run: | - TAG="operator-test-$(date +%s)-$(openssl rand -hex 4)" - echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV - echo "Generated tag: SELDON_OPERATOR_IMG" - - name: Build docker image - working-directory: ./operator/ - env: - VERSION: ${{ steps.docker-tag.outputs.value }} - run: | - make docker-build - - name: Scan docker image for CVEs - uses: snyk/actions/docker@master - continue-on-error: false - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.SELDON_OPERATOR_IMG }} - args: --app-vulns --severity-threshold=high --file=operator/Dockerfile - - - build-and-scan-python-images: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Generate and set docker Conda image tag - run: | - TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)" - echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV - TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)" - echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV - echo "Generated tag: PYTHON_BASE_IMAGE" - - name: Build (Conda Base Image) - working-directory: ./wrappers/s2i/python - run: | - make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base - docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: conda-image - path: /tmp/conda-image.tar - - name: Scan Conda image - id: scan-conda - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.CONDA_BASE_IMAGE}}:test - args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda - - - name: Build (Base Wrapper) - working-directory: ./wrappers/s2i/python - run: | - make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.8.10 - docker save -o /tmp/python-base-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: python-base-image - path: /tmp/python-base-image.tar - - name: Scan Python base image - id: scan-python-base - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.PYTHON_BASE_IMAGE}}:test - args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile - - - name: Install CLI tools from OpenShift Mirror - uses: redhat-actions/openshift-tools-installer@v1 - with: - github_pat: ${{ github.token }} - source: "github" - s2i: "latest" - - - - name: Build (tfserving proxy) - id: build-tfserving-proxy - continue-on-error: true - working-directory: ./servers/tfserving_proxy - run: | - export TFSERVING_IMAGE_TAG="sec-tests/tfserving-$(date +%s)-$(openssl rand -hex 4)" - echo "TFSERVING_IMAGE_TAG=$TFSERVING_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE_NAME=$TFSERVING_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build - - name: Scan TF-serving proxy - id: scan-tfserving-proxy - if: steps.build-tfserving-proxy.outcome == 'success' - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.TFSERVING_IMAGE_TAG}}:test - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - - name: Clean up Docker image - if: always() - run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test - - - name: Build (sklearn) - id: build-sklearn - continue-on-error: true - working-directory: ./servers/sklearnserver - run: | - export SKLEARN_IMAGE_TAG="sec-tests/sklearn-$(date +%s)-$(openssl rand -hex 4)" - echo "SKLEARN_IMAGE_TAG=$SKLEARN_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE_NAME=$SKLEARN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build - - name: Scan sklearn - id: scan-sklearn - if: steps.build-sklearn.outcome == 'success' - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.SKLEARN_IMAGE_TAG}}:test - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - - name: Clean up Docker image - if: always() - run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test - - - name: Build (mlflow) - id: build-mlflow - continue-on-error: true - working-directory: ./servers/mlflowserver - run: | - export MLFLOW_IMAGE_TAG="sec-tests/mlflow-$(date +%s)-$(openssl rand -hex 4)" - echo "MLFLOW_IMAGE_TAG=$MLFLOW_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE_NAME=$MLFLOW_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build - - name: Scan mlflow - id: scan-mlflow - if: steps.build-mlflow.outcome == 'success' - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.MLFLOW_IMAGE_TAG}}:test - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - - - name: Clean up Docker image - if: always() - run: docker rmi ${{ env.MLFLOW_IMAGE_TAG}}:test - - - name: Build (xgboost) - id: build-xgboost - continue-on-error: true - working-directory: ./servers/xgboostserver - run: | - export XGBOOST_IMAGE_TAG="sec-tests/xgbost-$(date +%s)-$(openssl rand -hex 4)" - echo "XGBOOST_IMAGE_TAG=$XGBOOST_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE_NAME=$XGBOOST_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build - - name: Scan xgboost - id: scan-xgboost - if: steps.build-xgboost.outcome == 'success' - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.XGBOOST_IMAGE_TAG}}:test - args: --fail-on=upgradable --app-vulns --severity-threshold=high - - - name: Clean up Docker image - if: always() - run: docker rmi ${{ env.XGBOOST_IMAGE_TAG}}:test - - - name: Build (alibi explain) - id: build-alibi-explain - continue-on-error: true - working-directory: ./components/alibi-explain-server - run: | - export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)" - echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build - - name: Scan alibi explain - id: scan-alibi-explain - if: steps.build-alibi-explain.outcome == 'success' - uses: snyk/actions/docker@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test - args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile - - - - name: Clean up Docker image - if: always() - run: docker rmi ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test - - - - name: Check for image scan failures - if: always() - run: | - if [ "${{ steps.scan-alibi-explain.outcome }}" != "success" ] || \ - [ "${{ steps.scan-xgboost.outcome }}" != "success" ] || \ - [ "${{ steps.scan-sklearn.outcome }}" != "success" ] || \ - [ "${{ steps.scan-tfserving-proxy.outcome }}" != "success" ] || \ - [ "${{ steps.scan-python-base.outcome }}" != "success" ] || \ - [ "${{ steps.scan-conda.outcome }}" != "success" ] || \ - [ "${{ steps.scan-mlflow.outcome }}" != "success" ]; then - echo "One or more docker image scans did not succeed" - exit 1 - fi - -# TODO had to comment out due to GH runner out of disk space, image can be built locally if needed, or may have to use -# own runner -# - name: Build (alibi detect) -# id: build-alibi-detect -# continue-on-error: true -# working-directory: ./components/alibi-detect-server -# run: | -# export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)" -# echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV -# make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build -# - name: Scan alibi detect -# if: steps.build-alibi-detect.outcome == 'success' -# uses: snyk/actions/docker@master -# continue-on-error: true -# env: -# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} -# with: -# image: ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test -# args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile - - security-image-initializer-rclone: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Build (rclone initializer) - working-directory: ./components/rclone-storage-initializer - run: | - export RCLONE_IMAGE_TAG="sec-tests.io/rclone-$(date +%s)-$(openssl rand -hex 4):test" - echo "RCLONE_IMAGE_TAG=$RCLONE_IMAGE_TAG" >> $GITHUB_ENV - make IMAGE_TAG=$RCLONE_IMAGE_TAG docker-build - - name: Scan rclone - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${{ env.RCLONE_IMAGE_TAG }} - args: --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile diff --git a/.github/workflows/security_tests_v2.yml b/.github/workflows/security_tests_v2.yml deleted file mode 100644 index adc95bb718..0000000000 --- a/.github/workflows/security_tests_v2.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: V2 Build docker images - -on: - push: - branches: [ v2 ] - workflow_dispatch: - inputs: - docker-tag: - description: 'Docker tag for scan' - default: 'latest' - required: false - -jobs: - placeholder: - name: placeholder - runs-on: ubuntu-latest - if: github.repository == 'seldonio/seldon-core' # Do not run this on forks. - steps: - - name: Echo Message - run: echo "This is to make workflow available for V2 releases"