Create security scan script (#2731)

* Automate the scanning security vulnerabilities in images of WGs Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> * Fixed a issue in trivy_scan.yaml and trivy_scan.sh Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> * Did requested changes in trivy.yaml Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk> --------- Signed-off-by: Hansini Karunarathne <hansini.20@cse.mrt.ac.lk>
kubeflow · Jun 11, 2024 · 94c6135 · 94c6135
1 parent f96b8f5
commit 94c6135
Show file tree

Hide file tree

Showing 5 changed files with 365 additions and 76 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,55 @@
+name: Image Extracting and Security Scanning
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  image-extraction-and-security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Install kustomize
+      - name: Install kustomize
+        run: |
+          sudo apt update
+          sudo apt install snapd
+          sudo snap install kustomize
+
+      # Install trivy
+      - name: Install trivy
+        run: |
+          sudo apt update
+          sudo snap install trivy
+
+      # Install jq
+      - name: Install jq
+        run: |
+          sudo apt update
+          sudo apt install jq
+
+      # Install Python
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12' 
+
+      # Install prettytable package
+      - name: Install prettytable
+        run: |
+          pip install prettytable
+
+      # Run the shell script (extract_images.sh)
+      - name: Run image extracting and security scanning script
+        run: |
+          cd hack
+          chmod +x trivy_scan.sh
+          ./trivy_scan.sh
+
+
+      
+
+
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,9 @@
 [._]s[a-rt-v][a-z]
 [._]ss[a-gi-z]
 [._]sw[a-p]
+
+
+# Scanning reports of trivy
+docs/image_lists/summary_of_severity_counts_for_WG/
+docs/image_lists/severity_counts_with_images_for_WG/
+docs/image_lists/security_scan_reports/
diff --git a/hack/extract_images.sh b/hack/extract_images.sh
diff --git a/hack/table_generate_for_security_results.py b/hack/table_generate_for_security_results.py
@@ -0,0 +1,44 @@
+import json
+from prettytable import PrettyTable
+
+# Path to your JSON file
+json_file = '../docs/image_lists/summary_of_severity_counts_for_WG/severity_summary_in_json_format.json'
+
+# Load JSON content from the file
+with open(json_file, 'r') as file:
+    data = json.load(file)
+
+# Define a mapping for working group names
+groupnames = {
+    "Automl": "AutoML",
+    "Pipelines": "Pipelines",
+    "Workbenches":"Workbenches(Notebooks)",
+    "Serving": "Kserve",
+    "Manifests":"Manifests",
+    "Training": "Training",
+    "Model-registry":"Model Registry",
+    "total": "All Images",
+}
+
+# Create PrettyTable
+table = PrettyTable()
+table.field_names = ["Working Group", "Images", "Critical CVE", "High CVE", "Medium CVE", "Low CVE"]
+
+# Populate the table with data
+for group_name in groupnames:
+    if group_name in data:  # Check if group_name exists in data
+        value = data[group_name]
+        table.add_row([groupnames[group_name], value["images"], value["CRITICAL"], value["HIGH"], value["MEDIUM"], value["LOW"]])
+
+
+# Print the table
+print(table)
+
+output_folder='../docs/image_lists/summary_of_severity_counts_for_WG/'
+
+# Write the table output to a file in the specified folder
+output_file = output_folder + 'summary_of_severity_counts_for_WGs_in_table.txt'
+with open(output_file, 'w') as f:
+    f.write(str(table))
+
+print("Output saved to:", output_file)