yindo/rocm-automated
1
0
Fork 0
mirror of https://github.com/BillyOutlast/rocm-automated.git synced 2026-02-04 03:51:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

more stuff

Browse Source
This commit is contained in:
John Doe
2026-01-30 19:44:20 -05:00
parent 2a63ccf32f
commit c7f1a05e02
2 changed files with 740 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

371
.github/workflows/daily-build-pure-shell.yml vendored Normal file
View File

@@ -0,0 +1,371 @@
name: Daily ROCm Container Build (Pure Shell)
on:
schedule:
# Run daily at 02:00 UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual triggering
inputs:
push_images:
description: 'Push images to registry'
required: true
default: 'true'
type: boolean
build_all:
description: 'Build all variants'
required: true
default: 'true'
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
date: ${{ steps.date.outputs.date }}
sha_short: ${{ steps.vars.outputs.sha_short }}
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Get current date
id: date
run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables
id: vars
run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images:
runs-on: ubuntu-latest
needs: prepare
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
context: .
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
context: .
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Set up Docker Buildx
run: |
echo "🐳 Setting up Docker Buildx..."
# Check if buildx is available
if ! docker buildx version > /dev/null 2>&1; then
echo "Installing Docker Buildx..."
mkdir -p ~/.docker/cli-plugins
BUILDX_VERSION="v0.12.1"
wget -q -O ~/.docker/cli-plugins/docker-buildx \
"https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-amd64"
chmod +x ~/.docker/cli-plugins/docker-buildx
fi
# Create and use builder instance
docker buildx create --name mybuilder --use --bootstrap || echo "Builder already exists"
docker buildx inspect --bootstrap
shell: bash
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "🔐 Logging into Docker Hub..."
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push Docker image
run: |
echo "🏗️ Building ${{ matrix.image.name }}..."
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the image
BUILD_ARGS=""
BUILD_ARGS="$BUILD_ARGS --build-arg BUILD_DATE=${{ needs.prepare.outputs.date }}"
BUILD_ARGS="$BUILD_ARGS --build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }}"
PUSH_FLAG=""
if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.event.inputs.push_images }}" == "true" ]; then
PUSH_FLAG="--push"
echo "📤 Will push images to registry"
else
PUSH_FLAG="--load"
echo "💾 Will load images locally only"
fi
docker buildx build \
--context ${{ matrix.image.context }} \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
$BUILD_ARGS \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
$PUSH_FLAG \
.
echo "✅ Build completed for ${{ matrix.image.name }}"
shell: bash
build-stable-diffusion-variants:
runs-on: ubuntu-latest
needs: prepare
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true')
strategy:
matrix:
gfx_arch:
- gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370)
- gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365)
- gfx1200 # RDNA 4 (RX 9070 XT)
- gfx1100 # RDNA 3 (RX 7900 XTX/XT)
- gfx1101 # RDNA 3 (RX 7800 XT/7700 XT)
- gfx1030 # RDNA 2 (RX 6000 series)
- gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT)
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Set up Docker Buildx
run: |
echo "🐳 Setting up Docker Buildx for GPU variant ${{ matrix.gfx_arch }}..."
# Check if buildx is available
if ! docker buildx version > /dev/null 2>&1; then
echo "Installing Docker Buildx..."
mkdir -p ~/.docker/cli-plugins
BUILDX_VERSION="v0.12.1"
wget -q -O ~/.docker/cli-plugins/docker-buildx \
"https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-amd64"
chmod +x ~/.docker/cli-plugins/docker-buildx
fi
# Create and use builder instance
docker buildx create --name mybuilder-${{ matrix.gfx_arch }} --use --bootstrap || echo "Builder already exists"
docker buildx inspect --bootstrap
shell: bash
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "🔐 Logging into Docker Hub for ${{ matrix.gfx_arch }}..."
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant image
run: |
echo "🏗️ Building GPU variant for ${{ matrix.gfx_arch }}..."
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the GPU-specific image
BUILD_ARGS=""
BUILD_ARGS="$BUILD_ARGS --build-arg GFX_ARCH=${{ matrix.gfx_arch }}"
BUILD_ARGS="$BUILD_ARGS --build-arg BUILD_DATE=${{ needs.prepare.outputs.date }}"
BUILD_ARGS="$BUILD_ARGS --build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }}"
PUSH_FLAG=""
if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.event.inputs.push_images }}" == "true" ]; then
PUSH_FLAG="--push"
echo "📤 Will push ${{ matrix.gfx_arch }} variant to registry"
else
PUSH_FLAG="--load"
echo "💾 Will load ${{ matrix.gfx_arch }} variant locally only"
fi
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
$BUILD_ARGS \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
$PUSH_FLAG \
.
echo "✅ Build completed for ${{ matrix.gfx_arch }} variant"
shell: bash
test-compose:
runs-on: ubuntu-latest
needs: [prepare, build-base-images]
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Create test directories
run: |
echo "📁 Creating test directories..."
mkdir -p User-Directories/open-webui
mkdir -p User-Directories/ollama
mkdir -p User-Directories/comfyui
echo "✅ Test directories created"
shell: bash
- name: Install Docker Compose
run: |
echo "🐳 Installing Docker Compose..."
if ! command -v docker-compose &> /dev/null; then
echo "Installing docker-compose..."
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" \
-o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
fi
docker-compose --version
shell: bash
- name: Test docker-compose configuration
run: |
echo "📋 Testing Docker Compose configuration..."
# Validate compose file
docker-compose config --quiet
echo "✅ Docker Compose configuration is valid"
# Test services definition
docker-compose config --services
echo "✅ Services configuration verified"
shell: bash
- name: Test image availability
run: |
echo "📋 Testing image availability..."
# Check if images exist in registry (without pulling)
IMAGES=(
"${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/comfyui-rocm7.1:latest"
"${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:latest"
)
for image in "${IMAGES[@]}"; do
echo "Checking $image..."
if docker manifest inspect "$image" >/dev/null 2>&1; then
echo "✅ $image is available"
else
echo "⚠️ $image may not be available yet"
fi
done
echo "✅ Image availability check completed"
shell: bash
notify:
runs-on: ubuntu-latest
needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose]
if: always() && (github.event_name == 'schedule')
steps:
- name: Build summary
run: |
echo "📊 Daily Build Summary - ${{ needs.prepare.outputs.date }}"
echo "=================================="
echo ""
echo "🔧 Job Results:"
echo "- Prepare: ${{ needs.prepare.result }}"
echo "- Base Images: ${{ needs.build-base-images.result }}"
echo "- GPU Variants: ${{ needs.build-stable-diffusion-variants.result }}"
echo "- Compose Test: ${{ needs.test-compose.result }}"
echo ""
SUCCESS_COUNT=0
TOTAL_COUNT=4
[ "${{ needs.prepare.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
[ "${{ needs.build-base-images.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
[ "${{ needs.build-stable-diffusion-variants.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
[ "${{ needs.test-compose.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
echo "📈 Success Rate: $SUCCESS_COUNT/$TOTAL_COUNT jobs completed successfully"
if [ "$SUCCESS_COUNT" -eq "$TOTAL_COUNT" ]; then
echo "🎉 All builds completed successfully!"
echo "🐳 Images pushed to ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
echo "📋 Docker Compose configuration validated"
echo "🏗️ Built images:"
echo " - comfyui-rocm7.1:${{ needs.prepare.outputs.date }}"
echo " - stable-diffusion.cpp-rocm7.1:${{ needs.prepare.outputs.date }}"
echo " - 7 GPU-specific variants"
elif [ "$SUCCESS_COUNT" -gt 0 ]; then
echo "⚠️ Partial success - $SUCCESS_COUNT out of $TOTAL_COUNT jobs completed"
echo "Please check the individual job logs for details"
else
echo "❌ All jobs failed - please check the logs"
exit 1
fi
shell: bash
cleanup:
runs-on: ubuntu-latest
needs: [build-base-images, build-stable-diffusion-variants]
if: always()
steps:
- name: Clean up Docker resources
run: |
echo "🧹 Cleaning up Docker resources..."
# Clean up build cache and unused images
docker system prune -f --volumes || echo "⚠️ Docker system prune failed"
docker builder prune -f || echo "⚠️ Builder prune failed"
# Clean up buildx builders
docker buildx ls | grep -E "mybuilder|gitea-builder" | awk '{print $1}' | while read builder; do
echo "Removing builder: $builder"
docker buildx rm "$builder" || echo "⚠️ Failed to remove builder $builder"
done
echo "✅ Cleanup completed"
shell: bash

369
.github/workflows/security-scan-pure-shell.yml vendored Normal file
View File

@@ -0,0 +1,369 @@
name: Security Scan (Pure Shell)
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Install Hadolint
run: |
echo "🔧 Installing Hadolint..."
HADOLINT_VERSION="v2.12.0"
wget -q -O /tmp/hadolint \
"https://github.com/hadolint/hadolint/releases/download/${HADOLINT_VERSION}/hadolint-Linux-x86_64"
chmod +x /tmp/hadolint
sudo mv /tmp/hadolint /usr/local/bin/hadolint
hadolint --version
shell: bash
- name: Run Hadolint on ComfyUI Dockerfile
run: |
echo "🔍 Scanning Dockerfile.comfyui-rocm7.1..."
if [ -f "Dockerfiles/Dockerfile.comfyui-rocm7.1" ]; then
hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 && echo "✅ ComfyUI Dockerfile passed" || echo "⚠️ Warnings found in ComfyUI Dockerfile"
else
echo "❌ ComfyUI Dockerfile not found"
fi
shell: bash
- name: Run Hadolint on Stable Diffusion Dockerfile
run: |
echo "🔍 Scanning Dockerfile.stable-diffusion.cpp-rocm7.1..."
if [ -f "Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1" ]; then
hadolint Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 && echo "✅ Stable Diffusion Dockerfile passed" || echo "⚠️ Warnings found in Stable Diffusion Dockerfile"
else
echo "❌ Stable Diffusion Dockerfile not found"
fi
shell: bash
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Set up Docker Buildx
run: |
echo "🐳 Setting up Docker Buildx for security scan..."
# Check if buildx is available
if ! docker buildx version > /dev/null 2>&1; then
echo "Installing Docker Buildx..."
mkdir -p ~/.docker/cli-plugins
BUILDX_VERSION="v0.12.1"
wget -q -O ~/.docker/cli-plugins/docker-buildx \
"https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-amd64"
chmod +x ~/.docker/cli-plugins/docker-buildx
fi
# Create and use builder instance
docker buildx create --name security-builder --use --bootstrap || echo "Builder already exists"
docker buildx inspect --bootstrap
shell: bash
- name: Build test image
run: |
echo "🏗️ Building test image for ${{ matrix.image.name }}..."
if [ ! -f "Dockerfiles/${{ matrix.image.dockerfile }}" ]; then
echo "❌ Dockerfile not found: Dockerfiles/${{ matrix.image.dockerfile }}"
exit 1
fi
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--tag test-${{ matrix.image.name }}:latest \
--load \
. || {
echo "❌ Failed to build test image for ${{ matrix.image.name }}"
exit 1
}
echo "✅ Test image built successfully"
docker images | grep "test-${{ matrix.image.name }}"
shell: bash
- name: Install Trivy
run: |
echo "🛡️ Installing Trivy..."
# Install dependencies
sudo apt-get update -qq
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
# Add Trivy repository
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
# Install Trivy
sudo apt-get update -qq
sudo apt-get install -y trivy
trivy --version
shell: bash
- name: Run Trivy vulnerability scanner
run: |
echo "🛡️ Scanning test-${{ matrix.image.name }}:latest for vulnerabilities..."
# Run Trivy scan with table output
echo "📋 Vulnerability Summary:"
trivy image --exit-code 0 --severity HIGH,CRITICAL --format table test-${{ matrix.image.name }}:latest || echo "⚠️ Vulnerabilities found"
# Generate JSON report for analysis
echo ""
echo "📄 Generating detailed JSON report..."
trivy image --format json --output trivy-report-${{ matrix.image.name }}.json test-${{ matrix.image.name }}:latest || echo "⚠️ Failed to generate JSON report"
# Show summary statistics
if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then
HIGH_COUNT=$(cat trivy-report-${{ matrix.image.name }}.json | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length' 2>/dev/null || echo "0")
CRITICAL_COUNT=$(cat trivy-report-${{ matrix.image.name }}.json | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' 2>/dev/null || echo "0")
echo ""
echo "📊 Vulnerability Summary for ${{ matrix.image.name }}:"
echo " - Critical: $CRITICAL_COUNT"
echo " - High: $HIGH_COUNT"
if [ "$CRITICAL_COUNT" -gt "0" ]; then
echo "❌ Critical vulnerabilities found - immediate attention required"
# Don't fail the build, just warn
elif [ "$HIGH_COUNT" -gt "0" ]; then
echo "⚠️ High severity vulnerabilities found - review recommended"
else
echo "✅ No high or critical vulnerabilities found"
fi
fi
shell: bash
- name: Upload scan results
run: |
echo "📄 Processing scan results..."
if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then
echo "✅ Trivy scan report generated: trivy-report-${{ matrix.image.name }}.json"
# Show file size
REPORT_SIZE=$(du -h trivy-report-${{ matrix.image.name }}.json | cut -f1)
echo "📏 Report size: $REPORT_SIZE"
# In a production environment, you might upload this to:
# - Artifact storage
# - Security dashboard
# - SIEM system
# - etc.
echo "💡 In production, consider uploading this report to your security systems"
else
echo "❌ No scan report found"
fi
shell: bash
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
fi
cp -r . ${{ github.workspace }}
shell: bash
- name: Check for base image updates
run: |
echo "🔍 Checking base images for updates..."
# Common base images that might be used in Dockerfiles
BASE_IMAGES=(
"ubuntu:22.04"
"ubuntu:20.04"
"python:3.11-slim"
"python:3.12-slim"
"rocm/rocm-terminal:latest"
)
for image in "${BASE_IMAGES[@]}"; do
echo ""
echo "Checking $image..."
if docker pull "$image" 2>/dev/null; then
echo "✅ Successfully pulled $image"
# Get image info
docker inspect "$image" --format='{{.RepoDigests}}' | head -1 || echo "⚠️ Could not get digest"
else
echo "⚠️ Could not pull $image (may not be used in our builds)"
fi
done
echo ""
echo "✅ Base image check completed"
echo "💡 Consider updating Dockerfiles if newer base images are available"
shell: bash
- name: Check Dockerfile base images
run: |
echo "🔍 Analyzing Dockerfile base images..."
DOCKERFILES=(
"Dockerfiles/Dockerfile.comfyui-rocm7.1"
"Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1"
)
for dockerfile in "${DOCKERFILES[@]}"; do
if [ -f "$dockerfile" ]; then
echo ""
echo "📄 Analyzing $dockerfile:"
# Extract FROM statements
BASE_IMAGES=$(grep -i "^FROM" "$dockerfile" | awk '{print $2}' | head -5)
while IFS= read -r image; do
if [ -n "$image" ]; then
echo " - Base image: $image"
# You could add logic here to check for updates to specific images
fi
done <<< "$BASE_IMAGES"
else
echo "⚠️ Dockerfile not found: $dockerfile"
fi
done
echo ""
echo "✅ Dockerfile analysis completed"
shell: bash
- name: Security advisory check
run: |
echo "🛡️ Security Advisory Information"
echo "=================================="
echo ""
echo "📋 Please manually review the following for security updates:"
echo ""
echo "🔗 Key Security Resources:"
echo " - ROCm Security: https://github.com/RadeonOpenCompute/ROCm/security"
echo " - Docker Security: https://docs.docker.com/engine/security/"
echo " - Ubuntu Security: https://ubuntu.com/security/notices"
echo " - Python Security: https://python.org/news/security/"
echo " - CVE Database: https://cve.mitre.org/"
echo ""
echo "🏃‍♂️ Automated Checks You Can Add:"
echo " - Subscribe to security mailing lists"
echo " - Monitor CVE databases for your dependencies"
echo " - Use tools like Dependabot or Renovate"
echo " - Implement container image scanning in CI/CD"
echo ""
echo "💡 Regular monitoring of these sources is recommended for production deployments."
echo ""
echo "📅 Last checked: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
shell: bash
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly Security Scan Summary"
echo "==============================="
echo "📅 Scan Date: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
echo ""
echo "📊 Scan Results:"
echo " - Dockerfile Lint: ${{ needs.dockerfile-security-scan.result }}"
echo " - Vulnerability Scan: ${{ needs.vulnerability-scan.result }}"
echo " - Dependency Check: ${{ needs.dependency-check.result }}"
echo ""
# Count successful jobs
SUCCESS_COUNT=0
TOTAL_COUNT=3
[ "${{ needs.dockerfile-security-scan.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
[ "${{ needs.vulnerability-scan.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
[ "${{ needs.dependency-check.result }}" == "success" ] && SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
echo "📈 Success Rate: $SUCCESS_COUNT/$TOTAL_COUNT scans completed successfully"
echo ""
# Build list of failed jobs
FAILED_JOBS=()
[ "${{ needs.dockerfile-security-scan.result }}" == "failure" ] && FAILED_JOBS+=("dockerfile-lint")
[ "${{ needs.vulnerability-scan.result }}" == "failure" ] && FAILED_JOBS+=("vulnerability-scan")
[ "${{ needs.dependency-check.result }}" == "failure" ] && FAILED_JOBS+=("dependency-check")
if [ ${#FAILED_JOBS[@]} -gt 0 ]; then
echo "❌ Failed scans: ${FAILED_JOBS[*]}"
echo ""
echo "🔧 Recommended Actions:"
echo " - Review Dockerfile best practices and fix linting issues"
echo " - Update base images to latest patched versions"
echo " - Address high/critical vulnerabilities found by Trivy"
echo " - Check dependency update recommendations"
echo ""
echo "📖 Resources:"
echo " - Dockerfile Best Practices: https://docs.docker.com/develop/dev-best-practices/"
echo " - Container Security: https://kubernetes.io/docs/concepts/security/"
echo ""
exit 1
else
echo "🎉 All security scans completed successfully!"
echo ""
echo "✅ Security Status:"
echo " - Dockerfiles follow best practices"
echo " - No critical vulnerabilities detected"
echo " - Dependencies are up to date"
echo ""
echo "🛡️ Your container images appear to be secure!"
echo "💡 Continue monitoring for new vulnerabilities and updates"
fi
shell: bash