fix(notebooks): Upgraded or marked as untested few notebooks with `alibi-detect-server` references #64

Workflow file for this run

.github/workflows/security_tests_v1.yml at 5d28474

	name: V1 Security Tests

	on:
	push:
	branches: [ master ]
	pull_request:
	# TODO revert before merge to master
	branches: [ release-1.19.0-prep ]
	workflow_dispatch:

	env:
	GOLANG_VERSION: 1.20.9

	jobs:
	python:
	runs-on: ubuntu-latest
	container: snyk/snyk:python-3.8
	steps:
	- uses: actions/checkout@v2
	- name: security-python
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	run: \|
	pip install -e python/.
	snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high

	image-executor:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Generate and set docker image tag
	run: \|
	TAG="executor-test-$(date +%s)-$(openssl rand -hex 4)"
	echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV
	echo "Generated tag: SELDON_EXECUTOR_IMG"
	- name: Build docker image
	working-directory: ./executor/
	env:
	VERSION: ${{ steps.docker-tag.outputs.value }}
	run: \|
	make docker-build
	- name: Scan docker image for CVEs
	uses: snyk/actions/docker@master
	continue-on-error: false
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.SELDON_EXECUTOR_IMG }}
	args: --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor

	image-operator:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Generate and set docker image tag
	run: \|
	TAG="operator-test-$(date +%s)-$(openssl rand -hex 4)"
	echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV
	echo "Generated tag: SELDON_OPERATOR_IMG"
	- name: Build docker image
	working-directory: ./operator/
	env:
	VERSION: ${{ steps.docker-tag.outputs.value }}
	run: \|
	make docker-build
	- name: Scan docker image for CVEs
	uses: snyk/actions/docker@master
	continue-on-error: false
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.SELDON_OPERATOR_IMG }}
	args: --app-vulns --severity-threshold=high --file=operator/Dockerfile


	build-and-scan-python-images:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Generate and set docker Conda image tag
	run: \|
	TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)"
	echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV
	TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)"
	echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV
	echo "Generated tag: PYTHON_BASE_IMAGE"
	- name: Build (Conda Base Image)
	working-directory: ./wrappers/s2i/python
	run: \|
	make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base
	docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test
	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: conda-image
	path: /tmp/conda-image.tar
	- name: Scan Conda image
	id: scan-conda
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.CONDA_BASE_IMAGE}}:test
	args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda

	- name: Build (Base Wrapper)
	working-directory: ./wrappers/s2i/python
	run: \|
	make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.8.10
	docker save -o /tmp/python-base-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test
	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: python-base-image
	path: /tmp/python-base-image.tar
	- name: Scan Python base image
	id: scan-python-base
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.PYTHON_BASE_IMAGE}}:test
	args: --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile

	- name: Install CLI tools from OpenShift Mirror
	uses: redhat-actions/openshift-tools-installer@v1
	with:
	github_pat: ${{ github.token }}
	source: "github"
	s2i: "latest"


	- name: Build (tfserving proxy)
	id: build-tfserving-proxy
	continue-on-error: true
	working-directory: ./servers/tfserving_proxy
	run: \|
	export TFSERVING_IMAGE_TAG="sec-tests/tfserving-$(date +%s)-$(openssl rand -hex 4)"
	echo "TFSERVING_IMAGE_TAG=$TFSERVING_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE_NAME=$TFSERVING_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
	- name: Scan TF-serving proxy
	id: scan-tfserving-proxy
	if: steps.build-tfserving-proxy.outcome == 'success'
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.TFSERVING_IMAGE_TAG}}:test
	args: --fail-on=upgradable --app-vulns --severity-threshold=high

	- name: Clean up Docker image
	if: always()
	run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test

	- name: Build (sklearn)
	id: build-sklearn
	continue-on-error: true
	working-directory: ./servers/sklearnserver
	run: \|
	export SKLEARN_IMAGE_TAG="sec-tests/sklearn-$(date +%s)-$(openssl rand -hex 4)"
	echo "SKLEARN_IMAGE_TAG=$SKLEARN_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE_NAME=$SKLEARN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
	- name: Scan sklearn
	id: scan-sklearn
	if: steps.build-sklearn.outcome == 'success'
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.SKLEARN_IMAGE_TAG}}:test
	args: --fail-on=upgradable --app-vulns --severity-threshold=high

	- name: Clean up Docker image
	if: always()
	run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test

	- name: Build (mlflow)
	id: build-mlflow
	continue-on-error: true
	working-directory: ./servers/mlflowserver
	run: \|
	export MLFLOW_IMAGE_TAG="sec-tests/mlflow-$(date +%s)-$(openssl rand -hex 4)"
	echo "MLFLOW_IMAGE_TAG=$MLFLOW_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE_NAME=$MLFLOW_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
	- name: Scan mlflow
	id: scan-mlflow
	if: steps.build-mlflow.outcome == 'success'
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.MLFLOW_IMAGE_TAG}}:test
	args: --fail-on=upgradable --app-vulns --severity-threshold=high


	- name: Clean up Docker image
	if: always()
	run: docker rmi ${{ env.MLFLOW_IMAGE_TAG}}:test

	- name: Build (xgboost)
	id: build-xgboost
	continue-on-error: true
	working-directory: ./servers/xgboostserver
	run: \|
	export XGBOOST_IMAGE_TAG="sec-tests/xgbost-$(date +%s)-$(openssl rand -hex 4)"
	echo "XGBOOST_IMAGE_TAG=$XGBOOST_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE_NAME=$XGBOOST_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
	- name: Scan xgboost
	id: scan-xgboost
	if: steps.build-xgboost.outcome == 'success'
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.XGBOOST_IMAGE_TAG}}:test
	args: --fail-on=upgradable --app-vulns --severity-threshold=high

	- name: Clean up Docker image
	if: always()
	run: docker rmi ${{ env.XGBOOST_IMAGE_TAG}}:test

	- name: Build (alibi explain)
	id: build-alibi-explain
	continue-on-error: true
	working-directory: ./components/alibi-explain-server
	run: \|
	export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)"
	echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build
	- name: Scan alibi explain
	id: scan-alibi-explain
	if: steps.build-alibi-explain.outcome == 'success'
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test
	args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile


	- name: Clean up Docker image
	if: always()
	run: docker rmi ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test


	- name: Check for image scan failures
	if: always()
	run: \|
	if [ "${{ steps.scan-alibi-explain.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-xgboost.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-sklearn.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-tfserving-proxy.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-python-base.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-conda.outcome }}" != "success" ] \|\| \
	[ "${{ steps.scan-mlflow.outcome }}" != "success" ]; then
	echo "One or more docker image scans did not succeed"
	exit 1
	fi

	# TODO had to comment out due to GH runner out of disk space, image can be built locally if needed, or may have to use
	# own runner
	# - name: Build (alibi detect)
	# id: build-alibi-detect
	# continue-on-error: true
	# working-directory: ./components/alibi-detect-server
	# run: \|
	# export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)"
	# echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV
	# make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build
	# - name: Scan alibi detect
	# if: steps.build-alibi-detect.outcome == 'success'
	# uses: snyk/actions/docker@master
	# continue-on-error: true
	# env:
	# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	# with:
	# image: ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test
	# args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile

	security-image-initializer-rclone:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2
	- name: Build (rclone initializer)
	working-directory: ./components/rclone-storage-initializer
	run: \|
	export RCLONE_IMAGE_TAG="sec-tests.io/rclone-$(date +%s)-$(openssl rand -hex 4):test"
	echo "RCLONE_IMAGE_TAG=$RCLONE_IMAGE_TAG" >> $GITHUB_ENV
	make IMAGE_TAG=$RCLONE_IMAGE_TAG docker-build
	- name: Scan rclone
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${{ env.RCLONE_IMAGE_TAG }}
	args: --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(notebooks): Upgraded or marked as untested few notebooks with `alibi-detect-server` references #64

Workflow file

fix(notebooks): Upgraded or marked as untested few notebooks with `alibi-detect-server` references #64

Uh oh!

Workflow file for this run

fix(notebooks): Upgraded or marked as untested few notebooks with alibi-detect-server references #64

Workflow file

Workflow file for this run

fix(notebooks): Upgraded or marked as untested few notebooks with `alibi-detect-server` references #64