datadog-lambda-extension/.github/workflows/vulnerability-scan.yml at main · DataDog/datadog-lambda-extension · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: "Vulnerability Scan"

on:
  schedule:
    # daily at midnight
    - cron: "0 0 * * *"
  workflow_dispatch:

env:
  # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
  TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
  TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db

jobs:
  trivy-scans:
    name: Trivy Scans (latest)
    runs-on: ubuntu-22.04
    steps:
      - name: Scan latest released image with trivy
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
          image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
          ignore-unfixed: true
          exit-code: 1
          format: table

      - name: Scan latest-alpine released image with trivy
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
          image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
          ignore-unfixed: true
          exit-code: 1
          format: table

  grype-scans:
    name: Grype Scans (latest)
    runs-on: ubuntu-22.04
    steps:
      - name: Scan latest release image with grype
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
        with:
          image: "public.ecr.aws/datadog/lambda-extension:latest"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

      - name: Scan latest-alpine release image with grype
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
        with:
          image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

  retry:
    needs: [trivy-scans, grype-scans]
    if: failure() && fromJSON(github.run_attempt) < 2
    runs-on: ubuntu-22.04
    permissions:
      actions: write
    steps:
      - name: Retry failed action
        env:
          GH_REPO: ${{ github.repository }}
          GH_TOKEN: ${{ github.token }}
        run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}

  notify:
    needs: [trivy-scans, grype-scans]
    if: failure() && fromJSON(github.run_attempt) >= 2
    runs-on: ubuntu-22.04
    steps:
      - name: Notify
        env:
          SLACK_CHANNEL: "#serverless-agent"
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
        run: |
          set -x

          OPS_MESSAGE=":gh-check-failed: Lambda Extension Vulnerability Scan failed! :radar-scan:

          Whoever is on support, please fix the vulnerability, before a customer alerts us to it.

          See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"

          curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
            "channel": "'"$SLACK_CHANNEL"'",
            "text": "'"$OPS_MESSAGE"'"
          }'