2222 env :
2323 # GitHub image registry used for storing $(CONTAINER_ENGINE)'s cache
2424 CACHE : " ghcr.io/${{ github.repository }}/workbench-images/build-cache"
25+ # Targets (and their folder) that should be scanned using FS instead of IMAGE scan due to resource constraints
26+ TRIVY_SCAN_FS_JSON : ' {"rocm-jupyter-pytorch-ubi9-python-3.9": "jupyter/rocm/pytorch/ubi9-python-3.9"}'
2527
2628 steps :
2729
@@ -138,27 +140,42 @@ jobs:
138140 - name : " Show podman images information"
139141 run : podman images
140142
141- - name : " pull_request|schedule: resolve image name if Trivy scan should run"
142- id : resolve-image
143+ - name : " pull_request|schedule: resolve target if Trivy scan should run"
144+ id : resolve-target
143145 if : ${{ fromJson(inputs.github).event_name == 'pull_request' || fromJson(inputs.github).event_name == 'schedule' }}
144146 env :
145147 EVENT_NAME : ${{ fromJson(inputs.github).event_name }}
146148 HAS_TRIVY_LABEL : ${{ contains(fromJson(inputs.github).event.pull_request.labels.*.name, 'trivy-scan') }}
149+ FS_SCAN_FOLDER : ${{ fromJson(env.TRIVY_SCAN_FS_JSON)[inputs.target] }}
147150 run : |
148151 if [[ "$EVENT_NAME" == "pull_request" && "$HAS_TRIVY_LABEL" == "true" ]]; then
149- IMAGE_NAME="localhost:5000/workbench-images:${{ inputs.target }}-${{ github.sha }}"
150- echo "image=$IMAGE_NAME" >> $GITHUB_OUTPUT
152+ if [[ -n "$FS_SCAN_FOLDER" ]]; then
153+ TARGET="$FS_SCAN_FOLDER"
154+ TYPE="fs"
155+ else
156+ TARGET="localhost:5000/workbench-images:${{ inputs.target }}-${{ github.sha }}"
157+ TYPE="image"
158+ fi
151159 elif [[ "$EVENT_NAME" == "schedule" ]]; then
152- IMAGE_NAME="ghcr.io/${{ github.repository }}/workbench-images:${{ inputs.target }}-${{ github.ref_name }}_${{ github.sha }}"
153- echo "image=$IMAGE_NAME" >> $GITHUB_OUTPUT
160+ if [[ -n "$FS_SCAN_FOLDER" ]]; then
161+ TARGET="$FS_SCAN_FOLDER"
162+ TYPE="fs"
163+ else
164+ TARGET="ghcr.io/${{ github.repository }}/workbench-images:${{ inputs.target }}-${{ github.ref_name }}_${{ github.sha }}"
165+ TYPE="image"
166+ fi
154167 fi
155168
156- if [[ -z "$IMAGE_NAME" ]]; then
169+ if [[ -n "$TARGET" ]]; then
170+ echo "target=$TARGET" >> $GITHUB_OUTPUT
171+ echo "type=$TYPE" >> $GITHUB_OUTPUT
172+ echo "Trivy scan will run on $TARGET ($TYPE)"
173+ else
157174 echo "Trivy scan won't run"
158175 fi
159176
160177name : Run Trivy vulnerability scanner
161- if : ${{ steps.resolve-image .outputs.image }}
178+ if : ${{ steps.resolve-target .outputs.target }}
162179 run : |
163180 TRIVY_VERSION=0.53.0
164181 REPORT_FOLDER=${{ github.workspace }}/report
@@ -168,22 +185,31 @@ jobs:
168185 mkdir -p $REPORT_FOLDER
169186 cp ci/$REPORT_TEMPLATE $REPORT_FOLDER
170187
171- IMAGE_NAME=${{ steps.resolve-image.outputs.image }}
172- echo "Scanning $IMAGE_NAME"
188+ SCAN_TARGET=${{ steps.resolve-target.outputs.target }}
189+ SCAN_TYPE=${{ steps.resolve-target.outputs.type }}
190+ echo "Scanning $SCAN_TARGET ($SCAN_TYPE)"
191+
192+ if [[ "$SCAN_TYPE" == "image" ]]; then
193+ SCAN_ARGS="--image-src podman --podman-host /var/run/podman/podman.sock"
194+ PODMAN_ARGS="-v ${PODMAN_SOCK}:/var/run/podman/podman.sock"
195+ elif [[ "$SCAN_TYPE" == "fs" ]]; then
196+ WORKSPACE_FOLDER="/workspace"
197+ SCAN_TARGET="$WORKSPACE_FOLDER/$SCAN_TARGET"
198+ PODMAN_ARGS="-v ${{ github.workspace }}:$WORKSPACE_FOLDER"
199+ fi
173200
174201 # have trivy access podman socket,
175202 # https://github.com/aquasecurity/trivy/issues/580#issuecomment-666423279
176203 podman run --rm \
177- -v ${PODMAN_SOCK}:/var/run/podman/podman.sock \
204+ $PODMAN_ARGS \
178205 -v ${REPORT_FOLDER}:/report \
179206 docker.io/aquasec/trivy:$TRIVY_VERSION \
180- image \
181- --image-src podman \
182- --podman-host /var/run/podman/podman.sock \
207+ $SCAN_TYPE \
208+ $SCAN_ARGS \
183209 --scanners vuln --ignore-unfixed \
184210 --exit-code 0 --timeout 30m \
185211 --format template --template "@/report/$REPORT_TEMPLATE" -o /report/$REPORT_FILE \
186- $IMAGE_NAME
212+ $SCAN_TARGET
187213
188214 cat $REPORT_FOLDER/$REPORT_FILE >> $GITHUB_STEP_SUMMARY
189215
0 commit comments