5a558eb09e
TypeScript SDK Compatibility V1.x E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / TypeScript SDK Compatibility V1.x E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
TypeScript SDK E2E Tests / TypeScript SDK E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
Python SDK E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK E2E Tests / Python SDK E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK E2E Tests / build-opik (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Python SDK Compatibility V1.x E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK E2E Tests / build-opik (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer E2E Tests Python ${{matrix.python_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer Integration Smoke Tests (push) Has been cancelled
🐙 Code Quality / detect (push) Has been cancelled
🐙 Code Quality / lint (${{ matrix.leg.name }}) (push) Has been cancelled
🐙 Code Quality / summary (push) Has been cancelled
TypeScript SDK Library Integration Tests / Check Secrets (push) Has been cancelled
TypeScript SDK Library Integration Tests / opik-vercel (Vercel AI SDK / eve) (push) Has been cancelled
SDK Library Integration Tests Runner / Check Secrets (push) Has been cancelled
SDK Library Integration Tests Runner / Missed OpenAI API Key Warning (push) Has been cancelled
SDK Library Integration Tests Runner / Build (push) Has been cancelled
SDK Library Integration Tests Runner / openai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_legacy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / llama_index_tests (push) Has been cancelled
SDK Library Integration Tests Runner / anthropic_tests (push) Has been cancelled
SDK Library Integration Tests Runner / mistral_tests (push) Has been cancelled
SDK Library Integration Tests Runner / groq_tests (push) Has been cancelled
SDK Library Integration Tests Runner / aisuite_tests (push) Has been cancelled
SDK Library Integration Tests Runner / haystack_tests (push) Has been cancelled
SDK Library Integration Tests Runner / dspy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v1_tests (push) Has been cancelled
SDK Library Integration Tests Runner / genai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_legacy_1_3_0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / evaluation_metrics_tests (push) Has been cancelled
SDK Library Integration Tests Runner / bedrock_tests (push) Has been cancelled
SDK Library Integration Tests Runner / litellm_tests (push) Has been cancelled
SDK Library Integration Tests Runner / harbor_tests (push) Has been cancelled
SDK Library Integration Tests Runner / Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / render-equality (push) Has been cancelled
Opik Optimizer - Unit Tests / Opik Optimizer Unit Tests Python ${{matrix.python_version}} (push) Has been cancelled
Python BE E2E Tests / Python BE E2E (push) Has been cancelled
Python Backend Tests / run-python-backend-tests (push) Has been cancelled
Python SDK Unit Tests / Python SDK Unit Tests ${{matrix.python_version}} (push) Has been cancelled
Release Drafter / update_release_draft (push) Has been cancelled
SDK E2E Libraries Integration Tests / Check Secrets (push) Has been cancelled
SDK E2E Libraries Integration Tests / Missed OpenAI API Key Warning (push) Has been cancelled
SDK E2E Libraries Integration Tests / build-opik (push) Has been cancelled
SDK E2E Libraries Integration Tests / E2E Lib Integration Python ${{matrix.python_version}} (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-gemini) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-langchain) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-openai) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-otel) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-vercel) (push) Has been cancelled
TypeScript SDK Build & Publish / build-and-publish (push) Has been cancelled
TypeScript SDK Unit Tests / Test on Node ${{ matrix.node-version }} (push) Has been cancelled
Backend Tests / discover-tests (push) Has been cancelled
Backend Tests / ${{ matrix.name }} (push) Has been cancelled
Build and Publish SDK / build-and-publish (push) Has been cancelled
Build Opik Docker Images / set-version (push) Has been cancelled
Build Opik Docker Images / build-backend (push) Has been cancelled
Build Opik Docker Images / build-sandbox-executor-python (push) Has been cancelled
Build Opik Docker Images / build-python-backend (push) Has been cancelled
Build Opik Docker Images / build-frontend (push) Has been cancelled
Build Opik Docker Images / create-git-tag (push) Has been cancelled
ClickHouse Migration Cluster Check / validate-clickhouse-migrations (push) Has been cancelled
Docs - Publish / run (push) Has been cancelled
E2E Tests - Post Merge (v2) / 🧪 E2E v2 Tests (${{ github.event.inputs.tier || 't1' }}) (push) Has been cancelled
E2E Tests - Post Merge (v2) / 📢 Slack Notification (push) Has been cancelled
Frontend Unit Tests / Test on Node 20 (push) Has been cancelled
Guardrails E2E Tests / Select Python version matrix (push) Has been cancelled
Guardrails E2E Tests / Guardrails E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Guardrails E2E Tests / 📢 Slack Notification (push) Has been cancelled
Guardrails Backend Unit Tests / Guardrails Backend Unit Tests (push) Has been cancelled
Guardrails Backend Unit Tests / 📢 Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v3.21.0) (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v4.2.0) (push) Has been cancelled
Lint Opik Helm Chart / unittest-helm-chart (push) Has been cancelled
194 lines
6.9 KiB
YAML
194 lines
6.9 KiB
YAML
name: Docker Vulnerability Scan
|
|
|
|
on:
|
|
schedule:
|
|
# Run Monday at midnight UTC
|
|
- cron: '0 0 * * 1'
|
|
workflow_dispatch:
|
|
inputs:
|
|
image-tag:
|
|
description: 'Image tag to scan'
|
|
required: true
|
|
default: main
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DOCKER_REGISTRY: "ghcr.io/comet-ml/opik"
|
|
|
|
jobs:
|
|
scan-docker-images:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image:
|
|
- opik-backend
|
|
- opik-frontend
|
|
- opik-frontend-comet
|
|
- opik-python-backend
|
|
- opik-sandbox-executor-python
|
|
name: Scan ${{ matrix.image }}
|
|
steps:
|
|
- name: Pull Docker image
|
|
id: pull
|
|
run: |
|
|
IMAGE_URL="${{ env.DOCKER_REGISTRY }}/${{ matrix.image }}:${{ inputs.image-tag || 'main' }}"
|
|
echo "Pulling Docker image: ${IMAGE_URL}"
|
|
docker pull ${IMAGE_URL}
|
|
BASENAME=$(basename ${IMAGE_URL} | cut -d: -f1)
|
|
REPORT_NAME="trivy_${BASENAME}.txt"
|
|
echo "image-url=${IMAGE_URL}" >> "$GITHUB_OUTPUT"
|
|
echo "report-name=${REPORT_NAME}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
env:
|
|
TRIVY_DISABLE_VEX_NOTICE: true
|
|
with:
|
|
image-ref: '${{ steps.pull.outputs.image-url }}'
|
|
scan-type: 'image'
|
|
format: 'table'
|
|
ignore-unfixed: 'false'
|
|
output: '${{ steps.pull.outputs.report-name }}'
|
|
scanners: vuln
|
|
severity: 'CRITICAL,HIGH'
|
|
hide-progress: true
|
|
timeout: 10m0s
|
|
|
|
- name: Set outputs
|
|
id: set-outputs
|
|
run: |
|
|
REPORT_NAME="${{ steps.pull.outputs.report-name }}"
|
|
echo "report-file=${REPORT_NAME}" >> "$GITHUB_OUTPUT"
|
|
if [ -f "${REPORT_NAME}" ]; then
|
|
echo "Report generated: ${REPORT_NAME}"
|
|
ls -lh "${REPORT_NAME}"
|
|
else
|
|
echo "Warning: Report file not found at ${REPORT_NAME}"
|
|
fi
|
|
|
|
- name: Write to job summary
|
|
run: |
|
|
{
|
|
echo "## Trivy Vulnerability Scan: \`${{ steps.pull.outputs.image-url }}\`"
|
|
echo ""
|
|
echo "<details><summary>Click to expand report</summary>"
|
|
echo ""
|
|
echo '```'
|
|
cat "${{ steps.pull.outputs.report-name }}" 2>/dev/null || echo "Report not found"
|
|
echo '```'
|
|
echo ""
|
|
echo "</details>"
|
|
} >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Upload scan results as artifact
|
|
uses: actions/upload-artifact@v7
|
|
with:
|
|
name: trivy-scan-${{ matrix.image }}
|
|
path: ${{ steps.pull.outputs.report-name }}
|
|
retention-days: 30
|
|
if-no-files-found: warn
|
|
|
|
- name: Checkout scripts
|
|
uses: actions/checkout@v6
|
|
with:
|
|
sparse-checkout: scripts/analyze_trivy_report.sh
|
|
sparse-checkout-cone-mode: false
|
|
path: repo
|
|
|
|
- name: Analyze vulnerabilities
|
|
id: analyze
|
|
run: |
|
|
./repo/scripts/analyze_trivy_report.sh \
|
|
"${{ steps.pull.outputs.report-name }}" \
|
|
"${{ steps.pull.outputs.image-url }}" \
|
|
--workflow-url "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
|
|
--artifact-name "trivy-scan-${{ matrix.image }}"
|
|
|
|
- name: Format base image Slack message
|
|
if: steps.analyze.outputs.has-base-image-vulns == 'true'
|
|
id: format-base
|
|
env:
|
|
MESSAGE: ${{ steps.analyze.outputs.base-image-message }}
|
|
MENTION: ${{ secrets.SLACK_MENTION_USERS }}
|
|
run: |
|
|
python3 << 'PYTHON_SCRIPT'
|
|
import re, os
|
|
input_message = os.environ.get('MESSAGE', '').strip()
|
|
mention = os.environ.get('MENTION', '').strip()
|
|
result = re.sub(r"'(.*?)'", r"`\1`", input_message)
|
|
if mention:
|
|
# Ensure each user ID is wrapped in <@...> for Slack mention syntax
|
|
parts = mention.split()
|
|
wrapped = ' '.join(
|
|
uid if uid.startswith('<@') else f'<@{uid}>'
|
|
for uid in parts
|
|
)
|
|
result = wrapped + '\n\n' + result
|
|
with open(os.environ.get('GITHUB_OUTPUT', '/dev/null'), 'a') as f:
|
|
f.write('message<<EOF\n')
|
|
f.write(result)
|
|
f.write('\nEOF\n')
|
|
PYTHON_SCRIPT
|
|
|
|
- name: Format app Slack message
|
|
if: steps.analyze.outputs.has-app-vulns == 'true'
|
|
id: format-app
|
|
env:
|
|
MESSAGE: ${{ steps.analyze.outputs.app-message }}
|
|
MENTION: ${{ secrets.SLACK_MENTION_USERS }}
|
|
run: |
|
|
python3 << 'PYTHON_SCRIPT'
|
|
import re, os
|
|
input_message = os.environ.get('MESSAGE', '').strip()
|
|
mention = os.environ.get('MENTION', '').strip()
|
|
result = re.sub(r"'(.*?)'", r"`\1`", input_message)
|
|
if mention:
|
|
# Ensure each user ID is wrapped in <@...> for Slack mention syntax
|
|
parts = mention.split()
|
|
wrapped = ' '.join(
|
|
uid if uid.startswith('<@') else f'<@{uid}>'
|
|
for uid in parts
|
|
)
|
|
result = wrapped + '\n\n' + result
|
|
with open(os.environ.get('GITHUB_OUTPUT', '/dev/null'), 'a') as f:
|
|
f.write('message<<EOF\n')
|
|
f.write(result)
|
|
f.write('\nEOF\n')
|
|
PYTHON_SCRIPT
|
|
|
|
- name: Notify Slack - base image vulnerabilities
|
|
if: steps.analyze.outputs.has-base-image-vulns == 'true'
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_VULNERABILITY_WEBHOOK_URL }}
|
|
SLACK_COLOR: warning
|
|
SLACK_USERNAME: 'GitHub Actions'
|
|
SLACK_ICON: 'https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png'
|
|
SLACK_LINK_NAMES: true
|
|
MSG_MINIMAL: false
|
|
ENABLE_ESCAPES: true
|
|
SLACK_TITLE: ${{ steps.analyze.outputs.base-image-title }}
|
|
SLACK_MESSAGE: |
|
|
*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}>
|
|
${{ steps.format-base.outputs.message }}
|
|
|
|
- name: Notify Slack - application vulnerabilities
|
|
if: steps.analyze.outputs.has-app-vulns == 'true'
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_VULNERABILITY_WEBHOOK_URL }}
|
|
SLACK_COLOR: danger
|
|
SLACK_USERNAME: 'GitHub Actions'
|
|
SLACK_ICON: 'https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png'
|
|
SLACK_LINK_NAMES: true
|
|
MSG_MINIMAL: false
|
|
ENABLE_ESCAPES: true
|
|
SLACK_TITLE: ${{ steps.analyze.outputs.app-title }}
|
|
SLACK_MESSAGE: |
|
|
*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}>
|
|
${{ steps.format-app.outputs.message }}
|