diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml new file mode 100644 index 000000000..eccf2309c --- /dev/null +++ b/.github/workflows/serverless-init-vulnerability-scan.yml @@ -0,0 +1,89 @@ +name: "Serverless Init Vulnerability Scan" + +on: + schedule: + # daily at midnight + - cron: "0 0 * * *" + workflow_dispatch: + +env: + # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + +jobs: + trivy-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest serverless-init image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/serverless-init:latest" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan latest-alpine serverless-init image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/serverless-init:latest-alpine" + ignore-unfixed: true + exit-code: 1 + format: table + + grype-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest serverless-init image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/serverless-init:latest" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan latest-alpine serverless-init image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/serverless-init:latest-alpine" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + retry: + needs: [trivy-scans, grype-scans] + if: failure() && fromJSON(github.run_attempt) < 2 + runs-on: ubuntu-22.04 + permissions: + actions: write + steps: + - name: Retry failed action + env: + GH_REPO: ${{ github.repository }} + GH_TOKEN: ${{ github.token }} + run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} + + notify: + needs: [trivy-scans, grype-scans] + if: failure() && fromJSON(github.run_attempt) >= 2 + runs-on: ubuntu-22.04 + steps: + - name: Notify + env: + SLACK_CHANNEL: "#serverless-agent" + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + run: | + set -x + + OPS_MESSAGE=":gh-check-failed: Serverless Init Vulnerability Scan failed! :radar-scan: + + Whoever is on support, please fix the vulnerability, before a customer alerts us to it. + + See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:" + + curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ + "channel": "'"$SLACK_CHANNEL"'", + "text": "'"$OPS_MESSAGE"'" + }' diff --git a/.github/workflows/serverless-vuln-scan.yml b/.github/workflows/vulnerability-scan.yml similarity index 77% rename from .github/workflows/serverless-vuln-scan.yml rename to .github/workflows/vulnerability-scan.yml index de32250e2..1d155dbe6 100644 --- a/.github/workflows/serverless-vuln-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -1,4 +1,4 @@ -name: "Serverless Vulnerability Scan" +name: "Vulnerability Scan" on: schedule: @@ -7,18 +7,15 @@ on: workflow_dispatch: env: - VERSION: 1 # env var required when building extension + VERSION: dev # env var required when building extension # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db jobs: - check: + trivy-scans: runs-on: ubuntu-22.04 steps: - - # scan latest released images - - name: Scan latest released image with trivy uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 with: @@ -35,22 +32,9 @@ jobs: exit-code: 1 format: table - - name: Scan latest serverless-init image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/serverless-init:latest" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan latest-alpine serverless-init image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/serverless-init:latest-alpine" - ignore-unfixed: true - exit-code: 1 - format: table - + grype-scans: + runs-on: ubuntu-22.04 + steps: - name: Scan latest release image with grype uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 with: @@ -69,26 +53,9 @@ jobs: severity-cutoff: low output-format: table - - name: Scan latest serverless-init image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/serverless-init:latest" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan latest-alpine serverless-init image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/serverless-init:latest-alpine" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - # scan unreleased from main - + build-and-binary-scans: + runs-on: ubuntu-22.04 + steps: - name: Checkout datadog-agent repository uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: @@ -160,7 +127,7 @@ jobs: output-format: table retry: - needs: check + needs: [trivy-scans, grype-scans, build-and-binary-scans] if: failure() && fromJSON(github.run_attempt) < 2 runs-on: ubuntu-22.04 permissions: @@ -173,7 +140,7 @@ jobs: run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} notify: - needs: check + needs: [trivy-scans, grype-scans, build-and-binary-scans] if: failure() && fromJSON(github.run_attempt) >= 2 runs-on: ubuntu-22.04 steps: @@ -184,7 +151,7 @@ jobs: run: | set -x - OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan: + OPS_MESSAGE=":gh-check-failed: Lambda Extension Vulnerability Scan failed! :radar-scan: Whoever is on support, please fix the vulnerability, before a customer alerts us to it.