Include docfx & changelog in dev process (#528)

* Include docfx & changelog in dev process
* Scan containers only for main branch and release branches
* Add Vulnerability Scanning

Signed-off-by: Victor Chang <vicchang@nvidia.com>

Author: mocsharp

.github/pull_request_template.md

@@ -13,6 +13,6 @@ A few sentences describing the changes proposed in this pull request.
 - [ ] Breaking change (fix or new feature that would cause existing functionality to change).
 - [ ] New tests added to cover the changes.
 - [ ] All tests passed locally.
-- [ ] [Documentation comments](https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/documentation-comments) included/updated.
-- [ ] User guide updated.
-- [ ] I have updated the changelog
+- [ ] [Documentation comments](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/xmldoc/) included/updated.
+- [ ] [User guide updated](../docs).
+- [ ] I have updated the [changelog](../docs/changelog.md)

.github/workflows/build.yml

@@ -90,7 +90,7 @@ jobs:
 
       - name: Dockle Container Scanner
         uses: erzz/dockle-action@v1
-        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
         with:
           image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           report-format: sarif
@@ -100,28 +100,28 @@ jobs:
       # Disable upload due to bug https://github.com/erzz/dockle-action/issues/18
       # - name: Upload Dockle SARIF Report
       #   uses: github/codeql-action/upload-sarif@v2
-      #   if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+      #   if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
       #   with:
       #     sarif_file: dockle-report.sarif
 
       - name: Trivy Vulnerability Scanner
         uses: aquasecurity/trivy-action@master
-        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+       if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
         with:
           image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy SARIF Report
         uses: github/codeql-action/upload-sarif@v2
-        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+       if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
         with:
           sarif_file: 'trivy-results.sarif'
 
       - name: Anchore Container Scan
         id: anchore-scan
         uses: anchore/scan-action@v3.3.0
-        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
         with:
           image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           fail-build: true
@@ -130,7 +130,7 @@ jobs:
 
       - name: Upload Anchore Scan SARIF Report
         uses: github/codeql-action/upload-sarif@v2
-        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release') }}
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
         with:
           sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
           token: ${{ secrets.GITHUB_TOKEN }}

CONTRIBUTING.md

@@ -138,6 +138,18 @@ If your package is on the Amber list please make a maintainer aware and let them
 
 If your package is on the Red list you will have to look for another package that achieves the same aim with a more permissive license.
 
+
+##### Vulnerability Scanning
+
+The [Build](.github/workflows/build.yml) CI worklfow builds & publishes container images to [GitHub Packages](https://github.com/orgs/Project-MONAI/packages?repo_name=monai-deploy-workflow-manager).
+The CI workflow also performs container scanning using [Trivy](https://github.com/marketplace/actions/aqua-security-trivy#using-trivy-with-github-code-scanning), [Dockle](https://github.com/marketplace/actions/dockle-action), and [Anchore](https://github.com/marketplace/actions/anchore-container-scan) for the `main` branch and the `release/*` branches.
+
+If any vulnerability is discovered without any mitigation or is false positive, please open a new GitHub issue to track the vulnerability before adding to the allowlists:
+
+- Trivy: `.trivyignore`, include URL to the GitHub issue as comment
+
+Once a vulnerability is mitigated or fixed, update the allowlists to remove it.
+
 #### Test Projects
 
 All C# projects reside in their directory, including a `Tests/` subdirectory.
@@ -154,11 +166,21 @@ MONAI Deploy Workflow Manager functionality has plenty of unit tests from which
 
 Documentation for MONAI Deploy Workflow Manager is located at `docs/` and requires [DocFX](https://dotnet.github.io/docfx/) to build.
 
+- *docs/index.md*: documentation landing page
+- *docs/setup/*: component installation & configuration pages
+- *docs/api/rest*: RESTful APIs
+
+Note: *docfx* generated C# APIs based on [XML documentation comments](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/xmldoc/) written in the source code. 
+To configure which C# projects to include in the documentation, edit the **metadata>src>files** section in the *docs/docfx.json* file.
+
 Please follow the [instructions](https://dotnet.github.io/docfx/tutorial/docfx_getting_started.html#2-use-docfx-as-a-command-line-tool) to install Mono and download the DocFX command-line tool to build the documentation.
 
 ```bash
 [path-to]/docfx.exe docs/docfx.json
 ```
+##### Updating Changelog
+
+The changelog is located in `docs/changelog.md` and should be updated for every release to include new features, bug fixes and breaking changes.
 
 #### Automatic code formatting