Skip to content

Security Scan

Security Scan #1289

Workflow file for this run

name: Security Scan
on:
push:
branches:
- master
- release/*
schedule:
- cron: "23 18 * * *"
workflow_dispatch:
jobs:
scan-code:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Security Scan
uses: snyk/actions/python-3.10@master
with:
args: --fail-on=upgradable
--severity-threshold=high
--all-projects
--exclude=tests,docs
--sarif-file-output=snyk-code.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-code.sarif
static-code-analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Static Code Analysis Scan
uses: snyk/actions/python-3.10@master
with:
command: code test
args: --fail-on=upgradable
--severity-threshold=high
--all-projects
--exclude=tests,docs
--sarif-file-output=snyk-sat.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-sat.sarif
scan-image:
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
remove-dotnet: 'true'
remove-haskell: 'true'
remove-android: 'true'
remove-codeql: 'true'
remove-docker-images: 'true'
overprovision-lvm: 'true'
swap-size-mb: 1024
- uses: actions/checkout@v4
- name: Build Docker Image
run: |
DOCKER_BUILDKIT=1 docker build . \
--build-arg RUNTIMES=all \
-t $MLSERVER_IMAGE
env:
MLSERVER_IMAGE: seldonio/mlserver:${{ github.sha }}
- name: Scan Docker Image
uses: snyk/actions/docker@master
with:
image: seldonio/mlserver:${{ github.sha }}
args: --fail-on=upgradable
--severity-threshold=high
--app-vulns
--file=Dockerfile
--policy-path=.snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif