fix(build): check for CVEs before merge (#6869)

* test locally built img

* fix action

* fix env var

* docker file context

* docker file context

* remove comments

* fail when issues found

* change env var

* fix potential colliding env var

* typo

* test old vulnerable image

* test remove docker file

* test no level check

* test disable sarif

* fall on all

* run via CLI

* test exit 1 fails pipeline

* test latest version

* fail on all

* run from executor dir

* fail on everything

* re-instate snyk action

* wip

* Test building base python image and scanning image w/o pushing to repo

* fix tag

* fix tag

* fix tag

* fix tag

* fix tag

* scan sklearn

* fix build

* fix env var

* fix env var rclone

* fix tag

* fix tag

* fix perms

* run as root

* fix: run as root

* comment out to speed up

* fix root

* revert

* clean up images to fix out of disk space

* remove tox to fix out of space

* upload images to artifactory

* v4

* fix tag

* reduce docker image size

* check scan results and scan conda image

* run PR actions against temp branch, should revert before merging to master

* TODO

* trigger build

* check rclone failure explicitly

* remove obsolete file

* fail on all

* fix not reporting failure

* fix not reporting failure

Removed file argument from Snyk scan command.

* Fix indentation in security_tests_v1.yml

* Enhance Snyk scan with SARIF output and upload

Added SARIF output option for Snyk scan results and upload step.

* Refactor RCLONE_IMAGE_TAG and Snyk scan options

Updated RCLONE_IMAGE_TAG format and modified Snyk scan arguments.

* run docker directly to fix mis-reporting

Replaced snyk/actions/docker with direct Snyk CLI usage for container scanning.

* Log return code after Snyk container test

Added echo statement to log return code after Snyk container test.

* Add debug flag to Snyk container test command

* Change Snyk command from container test to test

* Update Snyk command for container testing

* fix rclone not reporting fixable CVEs

Updated Snyk action for Docker image scanning.

* Fix syntax error in security_tests_v1.yml

* Fix syntax error in security_tests_v1.yml

* Fix CVE rclone

Author: domsolutions

.github/workflows/alibidetect_tests.yml

@@ -4,7 +4,8 @@ on:
   push:
     branches: [ master ]
   pull_request:
-    branches: [ master ]
+    # TODO revert before merge to master
+    branches: [ fix/core-1-CVEs ]
 
 jobs:
   lint:

.github/workflows/alibiexplainer_tests.yml

@@ -4,7 +4,8 @@ on:
   push:
     branches: [ master ]
   pull_request:
-    branches: [ master ]
+    # TODO revert before merge to master
+    branches: [ fix/core-1-CVEs ]
 
 jobs:
   lint:

.github/workflows/python_lint.yml

@@ -4,7 +4,8 @@ on:
   push:
     branches: [ master ]
   pull_request:
-    branches: [ master ]
+    # TODO revert before merge to master
+    branches: [ fix/core-1-CVEs ]
 
 jobs:
   python-lint:

.github/workflows/python_tests.yml

@@ -4,7 +4,8 @@ on:
   push:
     branches: [ master ]
   pull_request:
-    branches: [ master ]
+    # TODO revert before merge to master
+    branches: [ fix/core-1-CVEs ]
 
 jobs:
   python-tests: