Skip to content

Commit 07ab2b0

Browse files
author
Suma Kasa
committed
Move ecr-scan to run after integration tests
1 parent e5c1201 commit 07ab2b0

File tree

2 files changed

+63
-63
lines changed

2 files changed

+63
-63
lines changed

.github/workflows/docker-nightly-publish.yml

Lines changed: 1 addition & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -157,71 +157,10 @@ jobs:
157157
docker tag ${{ env.DOCKER_HUB_REPO }}:${{ env.SERVING_VERSION}}-${{ matrix.arch }}${{ env.NIGHTLY }} $tempCommitTag
158158
time docker push --all-tags ${{ env.AWS_ECR_REPO }}
159159
160-
ecr-scan:
161-
needs: nightly-build
162-
runs-on: ubuntu-latest
163-
strategy:
164-
fail-fast: false
165-
matrix:
166-
arch: ${{ startsWith(inputs.arch, '[') && fromJson(inputs.arch) || fromJson(format('[{0}]', inputs.arch)) }}
167-
steps:
168-
- name: Configure AWS Credentials
169-
uses: aws-actions/configure-aws-credentials@v4
170-
with:
171-
role-to-assume: arn:aws:iam::185921645874:role/github-actions-djl-serving
172-
aws-region: us-east-1
173-
- name: Get image tag
174-
id: get-tag
175-
run: |
176-
SERVING_VERSION=$(echo "${{ needs.nightly-build.outputs.djl_version }}")
177-
mode=${{ inputs.mode }}
178-
if [[ "$mode" != "release" ]]; then
179-
NIGHTLY="-nightly"
180-
fi
181-
IMAGE_TAG="$SERVING_VERSION-${{ matrix.arch }}${NIGHTLY}"
182-
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_OUTPUT
183-
- name: Get image digest
184-
id: get-digest
185-
run: |
186-
DIGEST=$(aws ecr describe-images \
187-
--repository-name djl-ci-temp \
188-
--image-ids imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
189-
--region us-east-1 \
190-
--query 'imageDetails[0].imageDigest' \
191-
--output text)
192-
echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
193-
- name: Check Inspector findings
194-
run: |
195-
REPO_URI="185921645874.dkr.ecr.us-east-1.amazonaws.com/djl-ci-temp"
196-
RESOURCE_ID="${REPO_URI}@${{ steps.get-digest.outputs.DIGEST }}"
197-
198-
echo "Checking vulnerabilities for: $RESOURCE_ID"
199-
sleep 30
200-
201-
FINDINGS=$(aws inspector2 list-findings \
202-
--filter-criteria '{"ecrImageHash":[{"comparison":"EQUALS","value":"${{ steps.get-digest.outputs.DIGEST }}"}]}' \
203-
--region us-east-1 \
204-
--output json)
205-
206-
HIGH=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="HIGH")] | length')
207-
CRITICAL=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="CRITICAL")] | length')
208-
209-
echo "Scan Results for ${{ matrix.arch }}:"
210-
echo "HIGH: $HIGH"
211-
echo "CRITICAL: $CRITICAL"
212-
213-
if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then
214-
echo "ERROR: Found HIGH or CRITICAL vulnerabilities"
215-
echo "$FINDINGS" | jq '.findings[] | select(.severity=="HIGH" or .severity=="CRITICAL") | {title, severity, description}'
216-
exit 1
217-
fi
218-
219-
echo "No HIGH or CRITICAL vulnerabilities found"
220-
221160
stop-runners:
222161
if: always()
223162
runs-on: [ self-hosted, scheduler ]
224-
needs: [nightly-build, create-runners, ecr-scan]
163+
needs: [nightly-build, create-runners]
225164
env:
226165
runner_output: ${{ toJson(needs.create-runners.outputs) }}
227166
steps:

.github/workflows/nightly.yml

Lines changed: 62 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,70 @@ jobs:
7171
json_images=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${images[@]}")
7272
echo "images are ${json_images}"
7373
echo "images=${json_images}" >> "$GITHUB_OUTPUT"
74+
ecr-scan:
75+
if: always()
76+
needs: [determine_images_to_publish, build]
77+
runs-on: ubuntu-latest
78+
strategy:
79+
fail-fast: false
80+
matrix:
81+
arch: ${{ fromJson(needs.determine_images_to_publish.outputs.images) }}
82+
steps:
83+
- name: Configure AWS Credentials
84+
uses: aws-actions/configure-aws-credentials@v4
85+
with:
86+
role-to-assume: arn:aws:iam::185921645874:role/github-actions-djl-serving
87+
aws-region: us-east-1
88+
- name: Get image tag
89+
id: get-tag
90+
run: |
91+
SERVING_VERSION=$(echo "${{ needs.build.outputs.djl_version }}")
92+
mode=${{ inputs.mode }}
93+
if [[ "$mode" != "release" ]]; then
94+
NIGHTLY="-nightly"
95+
fi
96+
IMAGE_TAG="$SERVING_VERSION-${{ matrix.arch }}${NIGHTLY}"
97+
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_OUTPUT
98+
- name: Get image digest
99+
id: get-digest
100+
run: |
101+
DIGEST=$(aws ecr describe-images \
102+
--repository-name djl-ci-temp \
103+
--image-ids imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
104+
--region us-east-1 \
105+
--query 'imageDetails[0].imageDigest' \
106+
--output text)
107+
echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
108+
- name: Check Inspector findings
109+
run: |
110+
REPO_URI="185921645874.dkr.ecr.us-east-1.amazonaws.com/djl-ci-temp"
111+
RESOURCE_ID="${REPO_URI}@${{ steps.get-digest.outputs.DIGEST }}"
112+
113+
echo "Checking vulnerabilities for: $RESOURCE_ID"
114+
sleep 30
115+
116+
FINDINGS=$(aws inspector2 list-findings \
117+
--filter-criteria '{"ecrImageHash":[{"comparison":"EQUALS","value":"${{ steps.get-digest.outputs.DIGEST }}"}]}' \
118+
--region us-east-1 \
119+
--output json)
120+
121+
HIGH=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="HIGH")] | length')
122+
CRITICAL=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="CRITICAL")] | length')
123+
124+
echo "Scan Results for ${{ matrix.arch }}:"
125+
echo "HIGH: $HIGH"
126+
echo "CRITICAL: $CRITICAL"
127+
128+
if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then
129+
echo "ERROR: Found HIGH or CRITICAL vulnerabilities"
130+
echo "$FINDINGS" | jq '.findings[] | select(.severity=="HIGH" or .severity=="CRITICAL") | {title, severity, description}'
131+
exit 1
132+
fi
133+
134+
echo "No HIGH or CRITICAL vulnerabilities found"
74135
publish:
75136
if: always()
76-
needs: [determine_images_to_publish]
137+
needs: [determine_images_to_publish, ecr-scan]
77138
uses: ./.github/workflows/docker_publish.yml
78139
secrets: inherit
79140
with:

0 commit comments

Comments
 (0)