yindo/rocm-automated
1
0
Fork 0
mirror of https://github.com/BillyOutlast/rocm-automated.git synced 2026-02-04 03:51:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
74b5416655e0cbe140e06f2a05a81eea9b41e1c5
rocm-automated/.github/workflows/security-scan.yml
John Doe 74b5416655 automated buolds
2026-01-30 19:32:03 -05:00

129 lines
4.0 KiB
YAML
Raw Blame History

name: Security Scan
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Hadolint (Dockerfile linter)
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfiles/Dockerfile.comfyui-rocm7.1
failure-threshold: warning
- name: Run Hadolint on Stable Diffusion Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1
failure-threshold: warning
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build test image
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfiles/${{ matrix.image.dockerfile }}
push: false
tags: test-${{ matrix.image.name }}:latest
load: true
cache-from: type=gha
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: test-${{ matrix.image.name }}:latest
format: 'sarif'
output: 'trivy-results-${{ matrix.image.name }}.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif'
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check for outdated base images
run: |
echo "🔍 Checking base images for updates..."
# Check ROCm base images
echo "Checking ROCm images..."
docker pull rocm/rocm-terminal:latest
# Check Python images (commonly used in AI containers)
echo "Checking Python base images..."
docker pull python:3.11-slim
docker pull python:3.12-slim
echo "✅ Base image check completed"
- name: Check for security advisories
run: |
echo "🛡️ Checking for relevant security advisories..."
echo "Please review:"
echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security"
echo "- Docker security best practices: https://docs.docker.com/engine/security/"
echo "- NVIDIA CVE database (for GPU-related issues): https://nvidia.com/security"
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly security scan completed"
echo "📊 Results:"
echo "- Dockerfile lint: ${{ needs.dockerfile-security-scan.result }}"
echo "- Vulnerability scan: ${{ needs.vulnerability-scan.result }}"
echo "- Dependency check: ${{ needs.dependency-check.result }}"
if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ] || \
[ "${{ needs.vulnerability-scan.result }}" == "failure" ] || \
[ "${{ needs.dependency-check.result }}" == "failure" ]; then
echo "⚠️ Security issues detected - please review the logs"
exit 1
else
echo "✅ No critical security issues found"
fi
Reference in New Issue View Git Blame Copy Permalink