Automate the scanning security vulnerabilities in images of WGs

Signed-off-by: Hansini Karunarathne <[email protected]>
hansinikarunarathne · Jun 8, 2024 · b127acc · b127acc
1 parent b46ce02
commit b127acc
Show file tree

Hide file tree

Showing 5 changed files with 370 additions and 76 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,65 @@
+name: Image Extracting and Security Scanning
+
+
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  # This job will run the image scan scripts
+  image-scan:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the code from repository
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Install kustomize
+      - name: Install kustomize
+        run: |
+          sudo apt update
+          sudo apt install snapd
+          sudo snap install kustomize
+
+      # Install trivy
+      - name: Install trivy
+        run: |
+          sudo apt update
+          sudo snap install trivy
+
+      # Install jq
+      - name: Install jq
+        run: |
+          sudo apt update
+          sudo apt install jq
+
+      # Install Python
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10' 
+
+      # Install prettytable package
+      - name: Install prettytable
+        run: |
+          pip install prettytable
+
+      # Run the shell script (extract_images.sh)
+      - name: Run image extracting and security scanning script
+        run: |
+          cd hack
+          chmod +x extract_images.sh
+          ./extract_images.sh
+
+      # Upload the artifact
+      - name: Upload trivy scanned_results
+        uses: actions/upload-artifact@v4
+        with:
+          name: my-artifact
+          path: docs/image_lists/
+
+
+
+
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,9 @@
 [._]s[a-rt-v][a-z]
 [._]ss[a-gi-z]
 [._]sw[a-p]
+
+
+# Scanning reports of trivy
+docs/image_lists/summary_of_severity_counts_for_WG/
+docs/image_lists/severity_counts_with_images_for_WG/
+docs/image_lists/security_scan_reports/
diff --git a/hack/extract_images.sh b/hack/extract_images.sh
diff --git a/hack/table_generate_for_security_results.py b/hack/table_generate_for_security_results.py
@@ -0,0 +1,44 @@
+import json
+from prettytable import PrettyTable
+
+# Path to your JSON file
+json_file = '../docs/image_lists/summary_of_severity_counts_for_WG/severity_summary_in_json_format.json'
+
+# Load JSON content from the file
+with open(json_file, 'r') as file:
+    data = json.load(file)
+
+# Define a mapping for working group names
+groupnames = {
+    "Automl": "AutoML",
+    "Pipelines": "Pipelines",
+    "Workbenches":"Workbenches(Notebooks)",
+    "Serving": "Kserve",
+    "Manifests":"Manifests",
+    "Training": "Training",
+    "Model-registry":"Model Registry",
+    "total": "All Images",
+}
+
+# Create PrettyTable
+table = PrettyTable()
+table.field_names = ["Working Group", "Images", "Critical CVE", "High CVE", "Medium CVE", "Low CVE"]
+
+# Populate the table with data
+for group_name in groupnames:
+    if group_name in data:  # Check if group_name exists in data
+        value = data[group_name]
+        table.add_row([groupnames[group_name], value["images"], value["CRITICAL"], value["HIGH"], value["MEDIUM"], value["LOW"]])
+
+
+# Print the table
+print(table)
+
+output_folder='../docs/image_lists/summary_of_severity_counts_for_WG/'
+
+# Write the table output to a file in the specified folder
+output_file = output_folder + 'summary_of_severity_counts_for_WGs_in_table.txt'
+with open(output_file, 'w') as f:
+    f.write(str(table))
+
+print("Output saved to:", output_file)