add lambda vulnerability scans

Author: duncanista

.github/workflows/vulnerability-scan.yml

@@ -0,0 +1,163 @@
+name: "Vulnerability Scan"
+
+on:
+  schedule:
+    # daily at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+env:
+  VERSION: dev  # env var required when building extension
+  # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
+  TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+  TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+
+jobs:
+  trivy-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest released image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan latest-alpine released image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+  grype-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Scan latest release image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "public.ecr.aws/datadog/lambda-extension:latest"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan latest-alpine release image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+  build-and-binary-scans:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout datadog-agent repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          repository: DataDog/datadog-agent
+          path: go/src/github.com/DataDog/datadog-agent
+
+      - name: Checkout datadog-lambda-extension repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          repository: DataDog/datadog-lambda-extension
+          path: go/src/github.com/DataDog/datadog-lambda-extension
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest
+          platforms: amd64,arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      - name: Build extension
+        run: |
+          cd go/src/github.com/DataDog/datadog-lambda-extension
+          ./scripts/build_binary_and_layer_dockerized.sh
+
+      - name: Scan amd64 image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan arm64 image with trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan amd64 image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan arm64 image with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan binary files with grype
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        with:
+          path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+  retry:
+    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    if: failure() && fromJSON(github.run_attempt) < 2
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+    steps:
+      - name: Retry failed action
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
+
+  notify:
+    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    if: failure() && fromJSON(github.run_attempt) >= 2
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Notify
+        env:
+          SLACK_CHANNEL: "#serverless-agent"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        run: |
+          set -x
+
+          OPS_MESSAGE=":gh-check-failed: Lambda Extension Vulnerability Scan failed! :radar-scan:
+
+          Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
+
+          See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
+
+          curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
+            "channel": "'"$SLACK_CHANNEL"'",
+            "text": "'"$OPS_MESSAGE"'"
+          }'