PR workflow for SDLE scans#60
Merged
AhmedSeemalK merged 5 commits intoopea-project:mainfrom Apr 13, 2026
Merged
Conversation
Workflow to scan the code for Security vulnerabilities and Code quality issues
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow intended to run SDLE security/code-quality scans (Trivy, Bandit, ShellCheck) on PRs, pushes to main, and manual dispatch.
Changes:
- Introduces a new workflow
.github/workflows/code-scans.yamlwith three scan jobs (Trivy FS/image, Bandit, ShellCheck). - Uploads scan outputs as workflow artifacts for later inspection.
- Adds concurrency control to avoid overlapping runs per PR/ref.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
psurabh
reviewed
Feb 13, 2026
Contributor
psurabh
left a comment
psurabh
left a comment
There was a problem hiding this comment.
Please apply the copilot changes,
Updated Trivy scan with latest stable version
AhmedSeemalK
approved these changes
Apr 8, 2026
mdfaheem-intel
approved these changes
Apr 8, 2026
AhmedSeemalK
added a commit
that referenced
this pull request
Apr 17, 2026
* Add HybridSearch sample solution
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix README repo URL, model config, and add required models section
Address PR review comments: correct the git clone URL to
opea-project/Enterprise-Inference, align model configuration with
.env.example, and add a prerequisite section listing required models.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix docker compose command and add per-service log instructions
Use consistent `docker compose` (not `docker-compose`) and list log
commands for all individual services for thoroughness.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Add per-model APISIX gateway endpoint support
Add EMBEDDING_API_ENDPOINT, RERANKER_API_ENDPOINT, and LLM_API_ENDPOINT
config vars so each service can target its own APISIX route. When set,
the service uses the per-model URL; when unset, it falls back to
GENAI_GATEWAY_URL for GenAI Gateway compatibility. Consistent with the
pattern used by RAGChatbot and other sample solutions.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix reranker endpoint for Gaudi TEI and improve reranker-configuration.md
- api_client.py: Remove /v1 from reranker URL (TEI uses /rerank, not /v1/rerank);
add model name to rerank payload per TEI API requirements
- reranker-configuration.md: Scope guide to Xeon-only deployments with a note that
Gaudi/TEI works out of the box; remove spurious :4000 port from BASE_URL; add
TOKEN variable setup and replace literal "Token" with ${TOKEN} in all curl commands
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Support dual reranker backends (Keycloak/APISIX + GenAI Gateway)
- api_client.py: Branch on RERANKER_API_ENDPOINT to select URL path
(/rerank vs /v1/rerank), payload field ("texts" vs "documents"),
and response format (flat array vs nested results)
- reranker-configuration.md: Restructure guide to cover both Keycloak
and GenAI Gateway deployments with separate curl examples, token
setup, and expected responses
- README.md: Add Keycloak-specific notes for per-model APISIX route
configuration and required API endpoint variables
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Scope reranker config to GenAI Gateway only and simplify payload
- reranker-configuration.md: Scope entire guide to GenAI Gateway (LiteLLM)
deployments; remove Keycloak/APISIX sections since reranker works out of
the box for those deployments
- README.md: Clarify reranker post-deployment config is GenAI Gateway only;
add note that Keycloak/APISIX needs no extra steps
- api_client.py: Send both "documents" and "texts" in rerank payload so it
works across all backends (vLLM, TEI, LiteLLM) without branching
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Add Docugen-Microagents
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* update ReadMe and remove redundant images
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* update README and addressed Docker user change
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* fix: resolve event loop conflicts and mermaid diagram rendering
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* add .github folder
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* update README with SSL verification
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* update trivy action version
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* revert trivy version
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* Narrow reranker config scope to GenAI Gateway + Xeon and note Keycloak token TTL
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Add INFERENCE_BACKEND flag to support Gaudi TEI and Xeon vLLM
Gaudi (TEI) serves endpoints without /v1 prefix (/embeddings, /rerank)
while Xeon (vLLM) uses the /v1 prefix (/v1/embeddings, /v1/rerank).
- Add INFERENCE_BACKEND=vllm|tei to all three config.py files
- Update embedding, retrieval, and llm api_client.py to branch URL
construction based on INFERENCE_BACKEND
- Pass INFERENCE_BACKEND through docker-compose.yml for all three services
- Add INFERENCE_BACKEND to .env.example with hardware guidance
- Scope reranker-configuration.md to GenAI Gateway + Xeon only
- Update README to reflect GenAI Gateway + Xeon scope and note that
Keycloak tokens can be configured for longer TTL in Keycloak console
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Add INFERENCE_BACKEND note to README model config section
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix LLM /v1 path for Keycloak+Gaudi: LLM is always vLLM, not TEI
When LLM_API_ENDPOINT is set (APISIX/Keycloak), always keep /v1 prefix
regardless of INFERENCE_BACKEND. Only drop /v1 for GenAI Gateway + Gaudi
where LiteLLM itself handles the routing without the /v1 prefix.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix reranker batching and token overflow for large document uploads
Two issues were causing 500 errors when reranking over large uploads:
1. Batch size overflow (413): TOP_K_FUSION=50 sent all 50 candidates in
a single rerank request, exceeding bge-reranker-base's max batch size.
Fixed by adding RERANKER_MAX_BATCH_SIZE config (default 32) and
looping over batches in rerank_pairs(). Index offsets are tracked so
scores are written back to the correct positions in the full list.
2. Token length overflow (500 EngineCore): Technical document chunks
tokenize at ~2 chars/token in worst case. At 1000-char truncation
some docs in batch 2 exceeded the model's 512-token max sequence
length (query + doc combined). Reduced truncation to 500 chars
(~125 tokens), leaving safe headroom for the query and worst-case
tokenization while preserving the leading context most relevant for
reranking quality.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Document Xeon + Keycloak model endpoints with -vllmcpu suffix
Clarify that MODEL_ENDPOINT values differ by deployment type:
- Xeon + Keycloak/APISIX: APISIX route name with -vllmcpu suffix
(e.g. bge-base-en-v1.5-vllmcpu, bge-reranker-base-vllmcpu)
- Xeon + GenAI Gateway / Gaudi: HuggingFace model ID
Update APISIX endpoint URL examples in .env.example to use -vllmcpu
route names. Add deployment-type comparison table to README Configure
Models section.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Address PR review comments: embedding batch size, payload routing, doc fixes
api_client.py (retrieval):
- Separate rerank payload by backend: Keycloak/APISIX uses "texts",
GenAI Gateway uses "documents" — each backend expects its own field
- Add logger.info for raw reranker response per batch
- Clarify response format comments (Format 1 vs Format 2)
ingestion/config.py + main.py:
- Add embedding_batch_size config (default 32, must match embedding service)
- Use settings.embedding_batch_size instead of hardcoded 32 in main.py
- Log the batch size at start of embedding loop
docker-compose.yml + .env.example:
- Pass EMBEDDING_BATCH_SIZE to ingestion service so users can tune it
- Add EMBEDDING_BATCH_SIZE to .env.example with note to reduce for
larger documents
reranker-configuration.md:
- Step 2: clarify TOKEN source (GenAI Gateway vault.yml, not Keycloak)
- Step 2: define BASE_URL with /v1 path so curl commands use /rerank
- Steps 3 + 7: update curl to use ${BASE_URL}/rerank
- Step 3: add note on "documents" vs "texts" field by deployment type
- Step 7: add Keycloak/APISIX response format (flat array) alongside
GenAI Gateway format (nested results)
README.md:
- Replace docker-compose with docker compose throughout
- Expand log-checking section with per-service startup verification
commands
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Fix reranker-configuration.md BASE_URL: revert /v1 from base URL
BASE_URL must remain without /v1 because Steps 4 and 5 use the same
variable for LiteLLM admin endpoints (/model/info, /model/update)
which have no /v1 prefix. The inference curl commands correctly use
${BASE_URL}/v1/rerank explicitly.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* update trivy version
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* Add .venv-dataset to bandit exclude_dirs in .bandit config
Prevents bandit from scanning the HybridSearch dataset venv which
causes internal errors on Python 3.14 bytecode files.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Add SDLE security scan workflow for HybridSearch
Adds Trivy (vuln/misconfig/secret), Bandit, and ShellCheck scans
scoped to the HybridSearch sample solution. Runs on PR open/sync
and push to main/dev, with workflow_dispatch support for manual
PR scans.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Revert "Add .venv-dataset to bandit exclude_dirs in .bandit config"
This reverts commit 33f85a1.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Move code-scans.yaml to repo root .github/workflows
GitHub Actions only picks up workflows from .github/workflows at the
repository root. Moves the SDLE scan workflow out of the
sample_solutions/HybridSearch subdirectory so it runs correctly.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* Remove code-scans.yaml after security scans passed
All Trivy, Bandit, and ShellCheck scans passed successfully.
Removing the workflow file as it is no longer needed on this branch.
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
* remove code-scans file
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
* update readme
Signed-off-by: Harika <codewith3@gmail.com>
* update script link
Signed-off-by: Harika <codewith3@gmail.com>
* adding code scan file
Signed-off-by: Harika <codewith3@gmail.com>
* delete code-scan.yaml files
Signed-off-by: Harika <codewith3@gmail.com>
* Adding redhat deployment scripts
Signed-off-by: Harika <codewith3@gmail.com>
* redhat deployment scripts
Signed-off-by: Harika <codewith3@gmail.com>
* update keycloak values
Signed-off-by: Harika <codewith3@gmail.com>
* merging both apisix and genai into single document
Signed-off-by: Harika <codewith3@gmail.com>
* merging both apisix and genai into single document
Signed-off-by: Harika <codewith3@gmail.com>
* update redhat README
Signed-off-by: Harika <codewith3@gmail.com>
* update redhat README
Signed-off-by: Harika <codewith3@gmail.com>
* update redhat README
Signed-off-by: Harika <codewith3@gmail.com>
* update redhat README
Signed-off-by: Harika <codewith3@gmail.com>
* updated troubleshooting guide with right keycloack values
Signed-off-by: Harika <codewith3@gmail.com>
* adding code scans file
Signed-off-by: Harika <codewith3@gmail.com>
* remove file
Signed-off-by: Harika <codewith3@gmail.com>
* update redhat README.md with mount ISO section and update trivy scan version to 0.35.0
Signed-off-by: Harika <codewith3@gmail.com>
* Update third_party/Dell/redhat9.6/iac/README.md
Co-authored-by: alexsin368 <109180236+alexsin368@users.noreply.github.com>
Signed-off-by: Harika <codewith3@gmail.com>
* Update third_party/Dell/redhat9.6/iac/README.md
Co-authored-by: alexsin368 <109180236+alexsin368@users.noreply.github.com>
Signed-off-by: Harika <codewith3@gmail.com>
* updated README. for redhat mount ISO
Signed-off-by: Harika <codewith3@gmail.com>
* updated README. for redhat mount ISO
Signed-off-by: Harika <codewith3@gmail.com>
* update wget URL's with opea repo links
Signed-off-by: Harika <codewith3@gmail.com>
* PR workflow for SDLE scans (#60)
* Create code-scans.yaml
Workflow to scan the code for Security vulnerabilities and Code quality issues
* Updated the co-pilot review
* Update code-scans.yaml
Updated Trivy scan with latest stable version
* remove code-scans.yaml
Signed-off-by: Harika <codewith3@gmail.com>
* add model-deployment folder
Signed-off-by: alexsin368 <alex.sin@intel.com>
* Finetuning Blueprint Solution (#88)
* Release v1.5.2
Signed-off-by: amberjain1 <amber.jain@intel.com>
Signed-off-by: psurabh <pradeep.surabhi@intel.com>
Signed-off-by: mdfaheem-intel <mohammad.faheem@intel.com>
Signed-off-by: vivekrsintc <vivek.rs@intel.com>
Co-authored-by: pvishwan <pramodh.vishwanath@intel.com>
Co-authored-by: AhmedSeemalK <ahmed.seemal@intel.com>
Co-authored-by: vhpintel <vijay.kumar.h.p@intel.com>
Co-authored-by: sgurunat <gurunath.s@intel.com>
Co-authored-by: jaswanth8888 <jaswanth.karani@intel.com>
Co-authored-by: sandeshk-intel <sandesh.kumar.s@intel.com>
Co-authored-by: vinayK34 <vinay3.kumar@intel.com>
Signed-off-by: Github Actions <actions@github.com>
* Adding Finetuning as a blueprint solution as part of release v1.5.2
Signed-off-by: S, Gurunath <gurunath.s@intel.com>
* False positive bandit san issue in gpu_engine file, added comment to supress it
Signed-off-by: S, Gurunath <gurunath.s@intel.com>
---------
Signed-off-by: amberjain1 <amber.jain@intel.com>
Signed-off-by: psurabh <pradeep.surabhi@intel.com>
Signed-off-by: mdfaheem-intel <mohammad.faheem@intel.com>
Signed-off-by: vivekrsintc <vivek.rs@intel.com>
Signed-off-by: Github Actions <actions@github.com>
Signed-off-by: S, Gurunath <gurunath.s@intel.com>
Co-authored-by: Github Actions <actions@github.com>
Co-authored-by: pvishwan <pramodh.vishwanath@intel.com>
Co-authored-by: AhmedSeemalK <ahmed.seemal@intel.com>
Co-authored-by: vhpintel <vijay.kumar.h.p@intel.com>
Co-authored-by: jaswanth8888 <jaswanth.karani@intel.com>
Co-authored-by: sandeshk-intel <sandesh.kumar.s@intel.com>
Co-authored-by: vinayK34 <vinay3.kumar@intel.com>
---------
Signed-off-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
Signed-off-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
Signed-off-by: Harika <codewith3@gmail.com>
Signed-off-by: alexsin368 <alex.sin@intel.com>
Signed-off-by: amberjain1 <amber.jain@intel.com>
Signed-off-by: psurabh <pradeep.surabhi@intel.com>
Signed-off-by: mdfaheem-intel <mohammad.faheem@intel.com>
Signed-off-by: vivekrsintc <vivek.rs@intel.com>
Signed-off-by: Github Actions <actions@github.com>
Signed-off-by: S, Gurunath <gurunath.s@intel.com>
Co-authored-by: arpannookala-12 <ganesh.arpan.nookala@cloud2labs.com>
Co-authored-by: gopal-raj-suresh <gopal.raj.dummugudupu@cloud2labs.com>
Co-authored-by: Harika <codewith3@gmail.com>
Co-authored-by: Harika <harika.devulapally@cloud2labs.com>
Co-authored-by: alexsin368 <109180236+alexsin368@users.noreply.github.com>
Co-authored-by: Vijay Kumar HP <98866009+vhpintel@users.noreply.github.com>
Co-authored-by: alexsin368 <alex.sin@intel.com>
Co-authored-by: sgurunat <gurunath.s@intel.com>
Co-authored-by: Github Actions <actions@github.com>
Co-authored-by: pvishwan <pramodh.vishwanath@intel.com>
Co-authored-by: vhpintel <vijay.kumar.h.p@intel.com>
Co-authored-by: jaswanth8888 <jaswanth.karani@intel.com>
Co-authored-by: sandeshk-intel <sandesh.kumar.s@intel.com>
Co-authored-by: vinayK34 <vinay3.kumar@intel.com>
Co-authored-by: Pradeep Surabhi <pradeep.surabhi@intel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Workflow to scan the code for Security vulnerabilities and Code quality issues. This PR has the workflow with all the below scans tested.
Trivy Scan
Bandit Scan
ShellCheck Scan