[TRTLLM-5878] add stage for image registration to nspect (#5699)

niukuo · chzblych · web-flow · commit 66f299a20510 · 2025-07-06T23:52:54.000+08:00
Signed-off-by: Yiteng Niu &lt;6831097+niukuo@users.noreply.github.com&gt;
Co-authored-by: Yanchao Lu &lt;yanchaol@nvidia.com&gt;
diff --git a/jenkins/BuildDockerImage.groovy b/jenkins/BuildDockerImage.groovy
@@ -90,8 +90,8 @@ def createKubernetesPodConfig(type, arch = "amd64", build_wheel = false)
     {
     case "agent":
         containerConfig = """
-                  - name: alpine
-                    image: urm.nvidia.com/docker/alpine:latest
+                  - name: python3
+                    image: urm.nvidia.com/docker/python:3.12-slim
                     command: ['cat']
                     tty: true
                     resources:
@@ -494,5 +494,45 @@ pipeline {
                 }
             }
         }
+        stage("Register Images for Security Checks") {
+            when {
+                expression {
+                    return params.nspect_id && params.action == "push"
+                }
+            }
+            steps {
+                script {
+                    container("python3") {
+                        trtllm_utils.llmExecStepWithRetry(pipeline, script: "pip3 install --upgrade pip")
+                        trtllm_utils.llmExecStepWithRetry(pipeline, script: "pip3 install --upgrade requests")
+                        def nspect_commit = "170c09aa35d5dacdc40611dd907f8801742fd5e4"
+                        withCredentials([string(credentialsId: "TRTLLM_NSPECT_REPO", variable: "NSPECT_REPO")]) {
+                            trtllm_utils.checkoutSource("${NSPECT_REPO}", nspect_commit, "nspect")
+                        }
+                        def nspect_env = params.nspect_env ? params.nspect_env : "prod"
+                        def program_version_name = params.program_version_name ? params.program_version_name : "PostMerge"
+                        def cmd = """./nspect/nspect.py \
+                            --env ${nspect_env} \
+                            --nspect_id ${params.nspect_id} \
+                            --program_version_name '${program_version_name}' \
+                            """
+                        if (params.register_images) {
+                            cmd += "--register "
+                        }
+                        if (params.osrb_ticket) {
+                            cmd += "--osrb_ticket ${params.osrb_ticket} "
+                        }
+                        if (params.wait_success_seconds) {
+                            cmd += "--check_launch_api "
+                            cmd += "--wait_success ${params.wait_success_seconds} "
+                        }
+                        cmd += imageKeyToTag.values().join(" ")
+                        withCredentials([usernamePassword(credentialsId: "NSPECT_CLIENT-${nspect_env}", usernameVariable: 'NSPECT_CLIENT_ID', passwordVariable: 'NSPECT_CLIENT_SECRET')]) {
+                            sh cmd
+                        }
+                    }
+                }
+            }
+        }
     } // stages
 } // pipeline
