Files
comet-ml--opik/.github/workflows/docker-vulnerability-scan.yaml
wehub-resource-sync 5a558eb09e
TypeScript SDK Compatibility V1.x E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / TypeScript SDK Compatibility V1.x E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
TypeScript SDK E2E Tests / TypeScript SDK E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
Python SDK E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK E2E Tests / Python SDK E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK E2E Tests / build-opik (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Python SDK Compatibility V1.x E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK E2E Tests / build-opik (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer E2E Tests Python ${{matrix.python_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer Integration Smoke Tests (push) Has been cancelled
🐙 Code Quality / detect (push) Has been cancelled
🐙 Code Quality / lint (${{ matrix.leg.name }}) (push) Has been cancelled
🐙 Code Quality / summary (push) Has been cancelled
TypeScript SDK Library Integration Tests / Check Secrets (push) Has been cancelled
TypeScript SDK Library Integration Tests / opik-vercel (Vercel AI SDK / eve) (push) Has been cancelled
SDK Library Integration Tests Runner / Check Secrets (push) Has been cancelled
SDK Library Integration Tests Runner / Missed OpenAI API Key Warning (push) Has been cancelled
SDK Library Integration Tests Runner / Build (push) Has been cancelled
SDK Library Integration Tests Runner / openai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_legacy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / llama_index_tests (push) Has been cancelled
SDK Library Integration Tests Runner / anthropic_tests (push) Has been cancelled
SDK Library Integration Tests Runner / mistral_tests (push) Has been cancelled
SDK Library Integration Tests Runner / groq_tests (push) Has been cancelled
SDK Library Integration Tests Runner / aisuite_tests (push) Has been cancelled
SDK Library Integration Tests Runner / haystack_tests (push) Has been cancelled
SDK Library Integration Tests Runner / dspy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v1_tests (push) Has been cancelled
SDK Library Integration Tests Runner / genai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_legacy_1_3_0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / evaluation_metrics_tests (push) Has been cancelled
SDK Library Integration Tests Runner / bedrock_tests (push) Has been cancelled
SDK Library Integration Tests Runner / litellm_tests (push) Has been cancelled
SDK Library Integration Tests Runner / harbor_tests (push) Has been cancelled
SDK Library Integration Tests Runner / Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / render-equality (push) Has been cancelled
Opik Optimizer - Unit Tests / Opik Optimizer Unit Tests Python ${{matrix.python_version}} (push) Has been cancelled
Python BE E2E Tests / Python BE E2E (push) Has been cancelled
Python Backend Tests / run-python-backend-tests (push) Has been cancelled
Python SDK Unit Tests / Python SDK Unit Tests ${{matrix.python_version}} (push) Has been cancelled
Release Drafter / update_release_draft (push) Has been cancelled
SDK E2E Libraries Integration Tests / Check Secrets (push) Has been cancelled
SDK E2E Libraries Integration Tests / Missed OpenAI API Key Warning (push) Has been cancelled
SDK E2E Libraries Integration Tests / build-opik (push) Has been cancelled
SDK E2E Libraries Integration Tests / E2E Lib Integration Python ${{matrix.python_version}} (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-gemini) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-langchain) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-openai) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-otel) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-vercel) (push) Has been cancelled
TypeScript SDK Build & Publish / build-and-publish (push) Has been cancelled
TypeScript SDK Unit Tests / Test on Node ${{ matrix.node-version }} (push) Has been cancelled
Backend Tests / discover-tests (push) Has been cancelled
Backend Tests / ${{ matrix.name }} (push) Has been cancelled
Build and Publish SDK / build-and-publish (push) Has been cancelled
Build Opik Docker Images / set-version (push) Has been cancelled
Build Opik Docker Images / build-backend (push) Has been cancelled
Build Opik Docker Images / build-sandbox-executor-python (push) Has been cancelled
Build Opik Docker Images / build-python-backend (push) Has been cancelled
Build Opik Docker Images / build-frontend (push) Has been cancelled
Build Opik Docker Images / create-git-tag (push) Has been cancelled
ClickHouse Migration Cluster Check / validate-clickhouse-migrations (push) Has been cancelled
Docs - Publish / run (push) Has been cancelled
E2E Tests - Post Merge (v2) / 🧪 E2E v2 Tests (${{ github.event.inputs.tier || 't1' }}) (push) Has been cancelled
E2E Tests - Post Merge (v2) / 📢 Slack Notification (push) Has been cancelled
Frontend Unit Tests / Test on Node 20 (push) Has been cancelled
Guardrails E2E Tests / Select Python version matrix (push) Has been cancelled
Guardrails E2E Tests / Guardrails E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Guardrails E2E Tests / 📢 Slack Notification (push) Has been cancelled
Guardrails Backend Unit Tests / Guardrails Backend Unit Tests (push) Has been cancelled
Guardrails Backend Unit Tests / 📢 Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v3.21.0) (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v4.2.0) (push) Has been cancelled
Lint Opik Helm Chart / unittest-helm-chart (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:25:44 +08:00

194 lines
6.9 KiB
YAML

name: Docker Vulnerability Scan
on:
schedule:
# Run Monday at midnight UTC
- cron: '0 0 * * 1'
workflow_dispatch:
inputs:
image-tag:
description: 'Image tag to scan'
required: true
default: main
type: string
permissions:
contents: read
env:
DOCKER_REGISTRY: "ghcr.io/comet-ml/opik"
jobs:
scan-docker-images:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- opik-backend
- opik-frontend
- opik-frontend-comet
- opik-python-backend
- opik-sandbox-executor-python
name: Scan ${{ matrix.image }}
steps:
- name: Pull Docker image
id: pull
run: |
IMAGE_URL="${{ env.DOCKER_REGISTRY }}/${{ matrix.image }}:${{ inputs.image-tag || 'main' }}"
echo "Pulling Docker image: ${IMAGE_URL}"
docker pull ${IMAGE_URL}
BASENAME=$(basename ${IMAGE_URL} | cut -d: -f1)
REPORT_NAME="trivy_${BASENAME}.txt"
echo "image-url=${IMAGE_URL}" >> "$GITHUB_OUTPUT"
echo "report-name=${REPORT_NAME}" >> "$GITHUB_OUTPUT"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.35.0
env:
TRIVY_DISABLE_VEX_NOTICE: true
with:
image-ref: '${{ steps.pull.outputs.image-url }}'
scan-type: 'image'
format: 'table'
ignore-unfixed: 'false'
output: '${{ steps.pull.outputs.report-name }}'
scanners: vuln
severity: 'CRITICAL,HIGH'
hide-progress: true
timeout: 10m0s
- name: Set outputs
id: set-outputs
run: |
REPORT_NAME="${{ steps.pull.outputs.report-name }}"
echo "report-file=${REPORT_NAME}" >> "$GITHUB_OUTPUT"
if [ -f "${REPORT_NAME}" ]; then
echo "Report generated: ${REPORT_NAME}"
ls -lh "${REPORT_NAME}"
else
echo "Warning: Report file not found at ${REPORT_NAME}"
fi
- name: Write to job summary
run: |
{
echo "## Trivy Vulnerability Scan: \`${{ steps.pull.outputs.image-url }}\`"
echo ""
echo "<details><summary>Click to expand report</summary>"
echo ""
echo '```'
cat "${{ steps.pull.outputs.report-name }}" 2>/dev/null || echo "Report not found"
echo '```'
echo ""
echo "</details>"
} >> "$GITHUB_STEP_SUMMARY"
- name: Upload scan results as artifact
uses: actions/upload-artifact@v7
with:
name: trivy-scan-${{ matrix.image }}
path: ${{ steps.pull.outputs.report-name }}
retention-days: 30
if-no-files-found: warn
- name: Checkout scripts
uses: actions/checkout@v6
with:
sparse-checkout: scripts/analyze_trivy_report.sh
sparse-checkout-cone-mode: false
path: repo
- name: Analyze vulnerabilities
id: analyze
run: |
./repo/scripts/analyze_trivy_report.sh \
"${{ steps.pull.outputs.report-name }}" \
"${{ steps.pull.outputs.image-url }}" \
--workflow-url "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--artifact-name "trivy-scan-${{ matrix.image }}"
- name: Format base image Slack message
if: steps.analyze.outputs.has-base-image-vulns == 'true'
id: format-base
env:
MESSAGE: ${{ steps.analyze.outputs.base-image-message }}
MENTION: ${{ secrets.SLACK_MENTION_USERS }}
run: |
python3 << 'PYTHON_SCRIPT'
import re, os
input_message = os.environ.get('MESSAGE', '').strip()
mention = os.environ.get('MENTION', '').strip()
result = re.sub(r"'(.*?)'", r"`\1`", input_message)
if mention:
# Ensure each user ID is wrapped in <@...> for Slack mention syntax
parts = mention.split()
wrapped = ' '.join(
uid if uid.startswith('<@') else f'<@{uid}>'
for uid in parts
)
result = wrapped + '\n\n' + result
with open(os.environ.get('GITHUB_OUTPUT', '/dev/null'), 'a') as f:
f.write('message<<EOF\n')
f.write(result)
f.write('\nEOF\n')
PYTHON_SCRIPT
- name: Format app Slack message
if: steps.analyze.outputs.has-app-vulns == 'true'
id: format-app
env:
MESSAGE: ${{ steps.analyze.outputs.app-message }}
MENTION: ${{ secrets.SLACK_MENTION_USERS }}
run: |
python3 << 'PYTHON_SCRIPT'
import re, os
input_message = os.environ.get('MESSAGE', '').strip()
mention = os.environ.get('MENTION', '').strip()
result = re.sub(r"'(.*?)'", r"`\1`", input_message)
if mention:
# Ensure each user ID is wrapped in <@...> for Slack mention syntax
parts = mention.split()
wrapped = ' '.join(
uid if uid.startswith('<@') else f'<@{uid}>'
for uid in parts
)
result = wrapped + '\n\n' + result
with open(os.environ.get('GITHUB_OUTPUT', '/dev/null'), 'a') as f:
f.write('message<<EOF\n')
f.write(result)
f.write('\nEOF\n')
PYTHON_SCRIPT
- name: Notify Slack - base image vulnerabilities
if: steps.analyze.outputs.has-base-image-vulns == 'true'
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_VULNERABILITY_WEBHOOK_URL }}
SLACK_COLOR: warning
SLACK_USERNAME: 'GitHub Actions'
SLACK_ICON: 'https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png'
SLACK_LINK_NAMES: true
MSG_MINIMAL: false
ENABLE_ESCAPES: true
SLACK_TITLE: ${{ steps.analyze.outputs.base-image-title }}
SLACK_MESSAGE: |
*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}>
${{ steps.format-base.outputs.message }}
- name: Notify Slack - application vulnerabilities
if: steps.analyze.outputs.has-app-vulns == 'true'
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_VULNERABILITY_WEBHOOK_URL }}
SLACK_COLOR: danger
SLACK_USERNAME: 'GitHub Actions'
SLACK_ICON: 'https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png'
SLACK_LINK_NAMES: true
MSG_MINIMAL: false
ENABLE_ESCAPES: true
SLACK_TITLE: ${{ steps.analyze.outputs.app-title }}
SLACK_MESSAGE: |
*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}>
${{ steps.format-app.outputs.message }}