Mellanox · galnoam · Nov 18, 2025 · Nov 5, 2025
diff --git a/.ci/matrix_job.yaml b/.ci/matrix_job.yaml
@@ -3,7 +3,7 @@ job: LIBXLIO
 
 step_allow_single_selector: false
 
-registry_host: harbor.mellanox.com
+registry_host: nbu-harbor.gtm.nvidia.com
 registry_auth: swx-infra_harbor_credentials
 registry_path: /swx-infra/media
 
@@ -17,10 +17,10 @@ kubernetes:
   arch_table:
     x86_64:
       nodeSelector: 'kubernetes.io/arch=amd64'
-      jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
+      jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
     aarch64:
       nodeSelector: 'kubernetes.io/arch=arm64'
-      jnlpImage: 'harbor.mellanox.com/toolbox/c3po-jnlp:latest'
+      jnlpImage: '${registry_host}/toolbox/c3po-jnlp:latest'
 
 credentials:
   - {credentialsId: 'media_coverity_credentials', usernameVariable: 'XLIO_COV_USER', passwordVariable: 'XLIO_COV_PASSWORD'}
@@ -86,8 +86,8 @@ runs_on_dockers:
      build_args: '--no-cache --target style',
      category: 'tool'
     }
-  - {name: 'toolbox', url: 'harbor.mellanox.com/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
-  - {name: 'header-check', url: 'harbor.mellanox.com/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
+  - {name: 'toolbox', url: '${registry_host}/hpcx/x86_64/rhel8.6/builder:inbox', category: 'tool', arch: 'x86_64'}
+  - {name: 'header-check', url: '${registry_host}/toolbox/header_check:0.0.58', category: 'tool', arch: 'x86_64', tag: '0.0.58'}
 # static tests
   - {
      file: '.ci/dockerfiles/Dockerfile.rhel8.6',
@@ -106,7 +106,7 @@ runs_on_dockers:
      build_args: '--no-cache --target static',
      category: 'tool'
      }
-  - {name: 'xlio_static.csbuild', url: 'harbor.mellanox.com/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
+  - {name: 'xlio_static.csbuild', url: '${registry_host}/swx-infra/media/x86_64/xlio_static.csbuild-clang18:20250515', category: 'tool', arch: 'x86_64' }
 # tests
   - {
      file: '.ci/dockerfiles/Dockerfile.ubuntu22.04',
@@ -126,7 +126,7 @@ runs_on_dockers:
   - {
      arch: 'x86_64',
      name: 'vg-worker-threads',
-     url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
+     url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/vg:20250219',
      category: 'tool',
      annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p2' }],
      limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p2: 1}',
@@ -153,7 +153,7 @@ runs_on_dockers:
   - {
       arch: 'x86_64',
       name: 'sockperf-worker-threads',
-      url: 'harbor.mellanox.com/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
+      url: '${registry_host}/swx-infra/media/xlio/x86_64/ubuntu22.04/sockperf:20251015',
       category: 'tests',
       annotations: [{ key: 'k8s.v1.cni.cncf.io/networks', value: 'sriov-cx6dx-p1' }],
       limits: '{memory: 10Gi, cpu: 10000m, hugepages-2Mi: 10Gi, nvidia.com/sriov-cx6dx-p1: 1}',
@@ -180,6 +180,7 @@ runs_on_dockers:
      category: 'tool',
      build_args: '--no-cache --target build',
     }
+  - {name: 'secret-scan', url: '${registry_host}/toolbox/secret_scan:0.0.27', arch: 'x86_64', tag: '0.0.27', category: 'tool'}
 
 runs_on_agents:
   - {nodeLabel: 'beni09', category: 'base'}
@@ -212,6 +213,18 @@ steps:
       echo
     parallel: false
 
+  - name: Secret Scan
+    credentialsId: 'mellanox_github_credentials'
+    enable: ${do_secretscan}
+    containerSelector:
+      - "{name: 'secret-scan', category: 'tool'}"
+    agentSelector:
+      - "{nodeLabel: 'skip-agent'}"
+    run: |
+      env GITHUB_TOKEN=$MELLANOX_GH_TOKEN /opt/nvidia/secret_scan.py --path $WORKSPACE --git-repo $WORKSPACE --report-file secret_scan.html
+    archiveArtifacts: '*.html'
+    parallel: false
+
   - name: Install Doca-host
     containerSelector:
       - "{category: 'base'}"
@@ -222,12 +235,12 @@ steps:
       - "{nodeLabel: 'skip-agent'}"
     run: |
       echo "Installing DOCA: ${DOCA_VERSION} ..."
-      .ci/scripts/doca_install.sh 
+      .ci/scripts/doca_install.sh
 
   - name: Install Doca-host on Tools
     run: |
       echo "Installing DOCA: ${DOCA_VERSION} ..."
-      .ci/scripts/doca_install.sh 
+      .ci/scripts/doca_install.sh
     containerSelector:
       - "{name: 'style', category: 'tool', variant: 1}"
     agentSelector:

diff --git a/.ci/opensource_jjb.yaml b/.ci/opensource_jjb.yaml
@@ -117,6 +117,10 @@
             name: "do_copyrights"
             default: true
             description: "Check copyrights in source headers"
+        - bool:
+            name: "do_secretscan"
+            default: true
+            description: "Check for secrets in source code"
     triggers:
         - github-pull-request:
             cron: 'H/5 * * * *'