Skip to content

Commit

Permalink
introduce Snyk security scans for V2 images
Browse files Browse the repository at this point in the history
  • Loading branch information
@RafalSkolasinski
RafalSkolasinski committed Jan 11, 2023
1 parent 37255bd commit 076e049
Show file tree
Hide file tree
Showing 2 changed files with 197 additions and 4 deletions.
189 changes: 189 additions & 0 deletions .github/workflows/security_tests_v2.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@
name: V2 Security Tests

on:
push:
branches: [ v2 ]
workflow_dispatch:
inputs:
docker-tag:
description: 'Docker tag for scan'
default: 'latest'
required: false

jobs:
security-operator:
runs-on: ubuntu-latest
container: snyk/snyk:golang
steps:
- uses: actions/checkout@v2
- name: security-golang
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
make -C operator fmt
snyk test --file=operator/go.mod --fail-on=upgradable --severity-threshold=high
security-scheduler:
runs-on: ubuntu-latest
container: snyk/snyk:golang
steps:
- uses: actions/checkout@v2
- name: security-golang
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
make -C scheduler lint
snyk test --file=scheduler/go.mod --fail-on=upgradable --severity-threshold=high
security-image-operator:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldonv2-controller:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=operator/Dockerfile

security-image-scheduler:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-scheduler:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.scheduler

security-image-data-flow-engine:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-dataflow-engine:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.dataflow

security-image-envoy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-envoy:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.envoy

security-image-modelgateway:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-modelgateway:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.modelgateway

security-image-pipelinegateway:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-pipelinegateway:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.pipelinegateway

security-image-agent:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-agent:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.agent

security-image-rclone:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-rclone:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=scheduler/Dockerfile.rclone

security-image-hodometer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set default docker tag for builds from v2 branch
id: docker-tag
run: |
USER_INPUT="${{ github.event.inputs.docker-tag }}"
echo ::set-output name=value::${USER_INPUT:-"latest"}
- name: security-docker-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: seldonio/seldon-hodometer:${{ steps.docker-tag.outputs.value }}
args: --fail-on=upgradable --severity-threshold=high --file=hodometer/Dockerfile.hodometer
12 changes: 8 additions & 4 deletions scheduler/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,14 @@ build: build-go build-jvm
.GOLANGCILINT_VERSION := v1.48.0
.GOLANGCILINT_PATH := $(shell go env GOPATH)/bin/golangci-lint/$(.GOLANGCILINT_VERSION)

${.GOLANGCILINT_PATH}/golangci-lint:
${.GOLANGCILINT_PATH}/golangci-lint:
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh \
| sh -s -- -b ${.GOLANGCILINT_PATH} ${.GOLANGCILINT_VERSION}

.PHONY: fmt
fmt: ## Run go fmt against code.
go fmt ./...

.PHONY: lint
lint: ${.GOLANGCILINT_PATH}/golangci-lint
gofmt -w pkg
Expand Down Expand Up @@ -581,8 +585,8 @@ start-scheduler-local-mtls: export AGENT_SECURITY_PROTOCOL=SSL
start-scheduler-local-mtls: export AGENT_TLS_CRT_LOCATION=${PWD}/testing/certs/server/tls.crt
start-scheduler-local-mtls: export AGENT_TLS_KEY_LOCATION=${PWD}/testing/certs/server/tls.key
start-scheduler-local-mtls: export AGENT_TLS_CA_LOCATION=${PWD}/testing/certs/server/ca.crt
start-scheduler-local-mtls:
./bin/scheduler --log-level debug --db-path "${DB_PATH_LOCAL}"
start-scheduler-local-mtls:
./bin/scheduler --log-level debug --db-path "${DB_PATH_LOCAL}"

.PHONY: clear-scheduler-state
clear-scheduler-state:
Expand All @@ -602,7 +606,7 @@ start-agent-local-mlserver-mtls: export AGENT_SECURITY_PROTOCOL=SSL
start-agent-local-mlserver-mtls: export AGENT_TLS_CRT_LOCATION=${PWD}/testing/certs/client/tls.crt
start-agent-local-mlserver-mtls: export AGENT_TLS_KEY_LOCATION=${PWD}/testing/certs/client/tls.key
start-agent-local-mlserver-mtls: export AGENT_TLS_CA_LOCATION=${PWD}/testing/certs/client/ca.crt
start-agent-local-mlserver-mtls:
start-agent-local-mlserver-mtls:
./bin/agent --agent-folder ${PWD}/mnt/mlserver --inference-http-port 8080 --inference-grpc-port 8081 --scheduler-host "0.0.0.0" --scheduler-port 9005 --reverse-proxy-http-port 9999 --reverse-proxy-grpc-port 9998 --debug-grpc-port 7777 --metrics-port 9006 \
--server-type mlserver \
--log-level debug \
Expand Down

0 comments on commit 076e049

Please sign in to comment.