add serverless-init vulnerability scans

duncanista · duncanista · commit 115b99ba7173 · 2025-07-14T15:00:19.000-04:00
diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml
@@ -0,0 +1,89 @@
+name: "Serverless Init Vulnerability Scan"
+
+on:
+  schedule:
+    # daily at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+env:
+  # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
+  TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+  TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+
+jobs:
+  trivy-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest serverless-init image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/serverless-init:latest"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan latest-alpine serverless-init image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/serverless-init:latest-alpine"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+  grype-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest serverless-init image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/serverless-init:latest"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan latest-alpine serverless-init image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/serverless-init:latest-alpine"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+  retry:
+    needs: [trivy-scans, grype-scans]
+    if: failure() && fromJSON(github.run_attempt) < 2
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+    steps:
+      - name: Retry failed action
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
+
+  notify:
+    needs: [trivy-scans, grype-scans]
+    if: failure() && fromJSON(github.run_attempt) >= 2
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Notify
+        env:
+          SLACK_CHANNEL: "#serverless-agent"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        run: |
+          set -x
+
+          OPS_MESSAGE=":gh-check-failed: Serverless Init Vulnerability Scan failed! :radar-scan:
+
+          Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
+
+          See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
+
+          curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
+            "channel": "'"$SLACK_CHANNEL"'",
+            "text": "'"$OPS_MESSAGE"'"
+          }' 
