1+ name : V1 Security Tests Python Images
2+
3+ on :
4+ push :
5+ branches : [ master ]
6+ pull_request :
7+ # TODO remove release-1.19.0-prep before merge to master
8+ branches :
9+ - master
10+ - release-1.19.0-prep
11+ workflow_dispatch :
12+ jobs :
13+ build-upload-scan-base-images :
14+ runs-on : ubuntu-latest
15+ outputs :
16+ conda_tar : conda-image.tar
17+ python_tar : python-image.tar
18+ steps :
19+ - uses : actions/checkout@v4
20+
21+ - name : Free up disk space (android, haskell, dotnet)
22+ run : |
23+ sudo rm -rf /usr/local/lib/android || true
24+ sudo rm -rf /opt/ghc || true
25+ sudo rm -rf /usr/share/dotnet || true
26+ df -h
27+
28+ name : Set up Docker Buildx
29+ uses : docker/setup-buildx-action@v3
30+
31+ # Build and scan the Conda base image
32+ - name : Generate and set docker Conda image tag
33+ run : |
34+ TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)"
35+ echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV
36+ TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)"
37+ echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV
38+ echo "Generated tag: PYTHON_BASE_IMAGE"
39+ name : Build (Conda Base Image)
40+ working-directory : ./wrappers/s2i/python
41+ run : |
42+ make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base
43+ docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test
44+ name : Scan Conda image
45+ id : scan-conda
46+ uses : snyk/actions/docker@master
47+ continue-on-error : true
48+ env :
49+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
50+ with :
51+ image : ${{ env.CONDA_BASE_IMAGE}}:test
52+ args : --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda
53+
54+ # Build and scan the Python Wrapper base image
55+ - name : Build (Base Wrapper)
56+ working-directory : ./wrappers/s2i/python
57+ run : |
58+ make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.12.12 CONDA_VERSION=25.3.1 BASE_IMAGE=$${{ env.CONDA_BASE_IMAGE }}
59+ docker save -o /tmp/python-base-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test
60+ name : Scan Python base image
61+ id : scan-python-base
62+ uses : snyk/actions/docker@master
63+ continue-on-error : true
64+ env :
65+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
66+ with :
67+ image : ${{ env.PYTHON_BASE_IMAGE}}:test
68+ args : --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile
69+
70+ # Upload base images
71+ - name : Upload base images
72+ uses : actions/upload-artifact@v4
73+ with :
74+ name : base-images
75+ path : |
76+ conda-image.tar
77+ python-image.tar
78+
79+ build-servers :
80+ needs : build-upload-scan-base-images
81+ runs-on : ubuntu-latest
82+ strategy :
83+ fail-fast : false
84+ matrix :
85+ server :
86+ - tfserving_proxy
87+ - sklearnserver
88+ - mlflowserver
89+ - xgboostserver
90+ steps :
91+ - uses : actions/checkout@v4
92+ - uses : actions/download-artifact@v4
93+ with :
94+ name : base-images
95+ - name : Load images
96+ run : |
97+ docker load -i conda-image.tar
98+ docker load -i python-image.tar
99+
100+ name : Install s2i CLI - needed for building the server images
101+ uses : redhat-actions/openshift-tools-installer@v1
102+ with :
103+ github_pat : ${{ github.token }}
104+ source : " github"
105+ s2i : " latest"
106+
107+ - name : Build ${{ matrix.server}}
108+ id : build-${{ matrix.server }}
109+ continue-on-error : true
110+ working-directory : ./servers/${{ matrix.server }}
111+ run : |
112+ export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)"
113+ echo "SERVER_IMAGE_TAG=SERVER_IMAGE_TAG" >> $GITHUB_ENV
114+ make IMAGE_NAME=SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
115+ name : Scan Server
116+ id : scan-${{ matrix.server}}
117+ if : steps.build-${{ matrix.server }}.outcome == 'success'
118+ uses : snyk/actions/docker@master
119+ continue-on-error : true
120+ env :
121+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
122+ with :
123+ image : ${{ env.SERVER_IMAGE_TAG}}:test
124+ args : --fail-on=upgradable --app-vulns --severity-threshold=high
125+
126+ - name : Clean up Docker image
127+ if : always()
128+ run : docker rmi ${{ env.SERVER_IMAGE_TAG}}:test
129+
130+ - name : Build (sklearn)
131+ id : build-sklearn
132+ continue-on-error : true
133+ working-directory : ./servers/sklearnserver
134+ run : |
135+ export SKLEARN_IMAGE_TAG="sec-tests/sklearn-$(date +%s)-$(openssl rand -hex 4)"
136+ echo "SKLEARN_IMAGE_TAG=$SKLEARN_IMAGE_TAG" >> $GITHUB_ENV
137+ make IMAGE_NAME=$SKLEARN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
138+ name : Scan sklearn
139+ id : scan-sklearn
140+ if : steps.build-sklearn.outcome == 'success'
141+ uses : snyk/actions/docker@master
142+ continue-on-error : true
143+ env :
144+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
145+ with :
146+ image : ${{ env.SKLEARN_IMAGE_TAG}}:test
147+ args : --fail-on=upgradable --app-vulns --severity-threshold=high
148+
149+ - name : Clean up Docker image
150+ if : always()
151+ run : docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test
152+
153+ - name : Build (mlflow)
154+ id : build-mlflow
155+ continue-on-error : true
156+ working-directory : ./servers/mlflowserver
157+ run : |
158+ export MLFLOW_IMAGE_TAG="sec-tests/mlflow-$(date +%s)-$(openssl rand -hex 4)"
159+ echo "MLFLOW_IMAGE_TAG=$MLFLOW_IMAGE_TAG" >> $GITHUB_ENV
160+ make IMAGE_NAME=$MLFLOW_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
161+ name : Scan mlflow
162+ id : scan-mlflow
163+ if : steps.build-mlflow.outcome == 'success'
164+ uses : snyk/actions/docker@master
165+ continue-on-error : true
166+ env :
167+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
168+ with :
169+ image : ${{ env.MLFLOW_IMAGE_TAG}}:test
170+ args : --fail-on=upgradable --app-vulns --severity-threshold=high
171+
172+ - name : Clean up Docker image
173+ if : always()
174+ run : docker rmi ${{ env.MLFLOW_IMAGE_TAG}}:test
175+
176+ - name : Build (xgboost)
177+ id : build-xgboost
178+ continue-on-error : true
179+ working-directory : ./servers/xgboostserver
180+ run : |
181+ export XGBOOST_IMAGE_TAG="sec-tests/xgbost-$(date +%s)-$(openssl rand -hex 4)"
182+ echo "XGBOOST_IMAGE_TAG=$XGBOOST_IMAGE_TAG" >> $GITHUB_ENV
183+ make IMAGE_NAME=$XGBOOST_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build
184+ name : Scan xgboost
185+ id : scan-xgboost
186+ if : steps.build-xgboost.outcome == 'success'
187+ uses : snyk/actions/docker@master
188+ continue-on-error : true
189+ env :
190+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
191+ with :
192+ image : ${{ env.XGBOOST_IMAGE_TAG}}:test
193+ args : --fail-on=upgradable --app-vulns --severity-threshold=high
194+
195+ - name : Clean up Docker image
196+ if : always()
197+ run : docker rmi ${{ env.XGBOOST_IMAGE_TAG}}:test
198+
199+ - name : Build (alibi explain)
200+ id : build-alibi-explain
201+ continue-on-error : true
202+ working-directory : ./components/alibi-explain-server
203+ run : |
204+ export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)"
205+ echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV
206+ make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build
207+ name : Scan alibi explain
208+ id : scan-alibi-explain
209+ if : steps.build-alibi-explain.outcome == 'success'
210+ uses : snyk/actions/docker@master
211+ continue-on-error : true
212+ env :
213+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
214+ with :
215+ image : ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test
216+ args : --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile
217+
218+ - name : Clean up Docker image
219+ if : always()
220+ run : docker rmi ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test
221+
222+ - name : Build (alibi detect)
223+ id : build-alibi-detect
224+ continue-on-error : true
225+ working-directory : ./components/alibi-detect-server
226+ run : |
227+ export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)"
228+ echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV
229+ make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build
230+ name : Scan alibi detect
231+ if : steps.build-alibi-detect.outcome == 'success'
232+ uses : snyk/actions/docker@master
233+ continue-on-error : true
234+ env :
235+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
236+ with :
237+ image : ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test
238+ args : --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile
239+
240+ - name : Check for image scan failures
241+ if : always()
242+ run : |
243+ if [ "${{ steps.scan-alibi-explain.outcome }}" != "success" ] || \
244+ [ "${{ steps.scan-alibi-detect.outcome }}" != "success" ] || \
245+ [ "${{ steps.scan-xgboost.outcome }}" != "success" ] || \
246+ [ "${{ steps.scan-sklearn.outcome }}" != "success" ] || \
247+ [ "${{ steps.scan-tfserving-proxy.outcome }}" != "success" ] || \
248+ [ "${{ steps.scan-python-base.outcome }}" != "success" ] || \
249+ [ "${{ steps.scan-conda.outcome }}" != "success" ] || \
250+ [ "${{ steps.scan-mlflow.outcome }}" != "success" ]; then
251+ echo "One or more docker image scans did not succeed"
252+ exit 1
253+ fi
0 commit comments