chore(github): separate vulnerability scans (#739)

# What?

Separates Lambda Extension and Serverless Init vulnerability scans

# Motivation

If Serverless Init fails, Lambda doesnt execute, here it justs separates
them and runs them per scanner and per product

# Tests
<img width="925" height="172" alt="Screenshot 2025-07-11 at 11 38 07 AM"
src="https://github.com/user-attachments/assets/765edd75-5baf-4c32-a7b8-bb13f056c031"
/>

Author: duncanista

.github/workflows/serverless-init-vulnerability-scan.yml

@@ -0,0 +1,89 @@
+name: "Serverless Init Vulnerability Scan"
+
+on:
+  schedule:
+    # daily at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+env:
+  # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
+  TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+  TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+
+jobs:
+  trivy-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest serverless-init image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/serverless-init:latest"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan latest-alpine serverless-init image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/serverless-init:latest-alpine"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+  grype-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest serverless-init image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/serverless-init:latest"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan latest-alpine serverless-init image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/serverless-init:latest-alpine"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+  retry:
+    needs: [trivy-scans, grype-scans]
+    if: failure() && fromJSON(github.run_attempt) < 2
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+    steps:
+      - name: Retry failed action
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
+
+  notify:
+    needs: [trivy-scans, grype-scans]
+    if: failure() && fromJSON(github.run_attempt) >= 2
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Notify
+        env:
+          SLACK_CHANNEL: "#serverless-agent"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        run: |
+          set -x
+
+          OPS_MESSAGE=":gh-check-failed: Serverless Init Vulnerability Scan failed! :radar-scan:
+
+          Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
+
+          See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
+
+          curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
+            "channel": "'"$SLACK_CHANNEL"'",
+            "text": "'"$OPS_MESSAGE"'"
+          }'

…ithub/workflows/serverless-vuln-scan.yml .github/workflows/vulnerability-scan.yml.github/workflows/serverless-vuln-scan.yml renamed to .github/workflows/vulnerability-scan.yml .github/workflows/serverless-vuln-scan.yml renamed to .github/workflows/vulnerability-scan.yml

@@ -1,4 +1,4 @@
-name: "Serverless Vulnerability Scan"
+name: "Vulnerability Scan"
 
 on:
   schedule:
@@ -7,18 +7,15 @@ on:
   workflow_dispatch:
 
 env:
-  VERSION: 1  # env var required when building extension
+  VERSION: dev  # env var required when building extension
   # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
   TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
   TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
 jobs:
-  check:
+  trivy-scans:
     runs-on: ubuntu-22.04
     steps:
-
-      # scan latest released images
-
       - name: Scan latest released image with trivy
         uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
@@ -35,22 +32,9 @@ jobs:
           exit-code: 1
           format: table
 
-      - name: Scan latest serverless-init image with trivy
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
-        with:
-          image-ref: "datadog/serverless-init:latest"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
-
-      - name: Scan latest-alpine serverless-init image with trivy
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
-        with:
-          image-ref: "datadog/serverless-init:latest-alpine"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
-
+  grype-scans:
+    runs-on: ubuntu-22.04
+    steps:
       - name: Scan latest release image with grype
         uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
         with:
@@ -69,26 +53,9 @@ jobs:
           severity-cutoff: low
           output-format: table
 
-      - name: Scan latest serverless-init image with grype
-        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
-        with:
-          image: "datadog/serverless-init:latest"
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      - name: Scan latest-alpine serverless-init image with grype
-        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
-        with:
-          image: "datadog/serverless-init:latest-alpine"
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      # scan unreleased from main
-
+  build-and-binary-scans:
+    runs-on: ubuntu-22.04
+    steps:
       - name: Checkout datadog-agent repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
@@ -160,7 +127,7 @@ jobs:
           output-format: table
 
   retry:
-    needs: check
+    needs: [trivy-scans, grype-scans, build-and-binary-scans]
     if: failure() && fromJSON(github.run_attempt) < 2
     runs-on: ubuntu-22.04
     permissions:
@@ -173,7 +140,7 @@ jobs:
         run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
 
   notify:
-    needs: check
+    needs: [trivy-scans, grype-scans, build-and-binary-scans]
     if: failure() && fromJSON(github.run_attempt) >= 2
     runs-on: ubuntu-22.04
     steps:
@@ -184,7 +151,7 @@ jobs:
         run: |
           set -x
 
-          OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan:
+          OPS_MESSAGE=":gh-check-failed: Lambda Extension Vulnerability Scan failed! :radar-scan:
 
           Whoever is on support, please fix the vulnerability, before a customer alerts us to it.