From a8380caded031480583bdee1bdee12d8447fd058 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Fri, 11 Jul 2025 11:30:16 -0700 Subject: [PATCH 1/6] remove `serverless-vuln-scan.yml` --- .github/workflows/serverless-vuln-scan.yml | 196 --------------------- 1 file changed, 196 deletions(-) delete mode 100644 .github/workflows/serverless-vuln-scan.yml diff --git a/.github/workflows/serverless-vuln-scan.yml b/.github/workflows/serverless-vuln-scan.yml deleted file mode 100644 index de32250e2..000000000 --- a/.github/workflows/serverless-vuln-scan.yml +++ /dev/null @@ -1,196 +0,0 @@ -name: "Serverless Vulnerability Scan" - -on: - schedule: - # daily at midnight - - cron: "0 0 * * *" - workflow_dispatch: - -env: - VERSION: 1 # env var required when building extension - # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - -jobs: - check: - runs-on: ubuntu-22.04 - steps: - - # scan latest released images - - - name: Scan latest released image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "public.ecr.aws/datadog/lambda-extension:latest" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan latest-alpine released image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan latest serverless-init image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/serverless-init:latest" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan latest-alpine serverless-init image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/serverless-init:latest-alpine" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan latest release image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "public.ecr.aws/datadog/lambda-extension:latest" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan latest-alpine release image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "public.ecr.aws/datadog/lambda-extension:latest-alpine" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan latest serverless-init image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/serverless-init:latest" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan latest-alpine serverless-init image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/serverless-init:latest-alpine" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - # scan unreleased from main - - - name: Checkout datadog-agent repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - repository: DataDog/datadog-agent - path: go/src/github.com/DataDog/datadog-agent - - - name: Checkout datadog-lambda-extension repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - repository: DataDog/datadog-lambda-extension - path: go/src/github.com/DataDog/datadog-lambda-extension - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - with: - image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest - platforms: amd64,arm64 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - - - name: Build extension - run: | - cd go/src/github.com/DataDog/datadog-lambda-extension - ./scripts/build_binary_and_layer_dockerized.sh - - - name: Scan amd64 image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan arm64 image with trivy - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 - with: - image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan amd64 image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan arm64 image with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan binary files with grype - uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 - with: - path: go/src/github.com/DataDog/datadog-lambda-extension/.layers - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - retry: - needs: check - if: failure() && fromJSON(github.run_attempt) < 2 - runs-on: ubuntu-22.04 - permissions: - actions: write - steps: - - name: Retry failed action - env: - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} - run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} - - notify: - needs: check - if: failure() && fromJSON(github.run_attempt) >= 2 - runs-on: ubuntu-22.04 - steps: - - name: Notify - env: - SLACK_CHANNEL: "#serverless-agent" - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - run: | - set -x - - OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan: - - Whoever is on support, please fix the vulnerability, before a customer alerts us to it. - - See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:" - - curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ - "channel": "'"$SLACK_CHANNEL"'", - "text": "'"$OPS_MESSAGE"'" - }' From 115b99ba71737f6f1eafbc3df5f152b08ad28807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Fri, 11 Jul 2025 11:31:02 -0700 Subject: [PATCH 2/6] add `serverless-init` vulnerability scans --- .../serverless-init-vulnerability-scan.yml | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/serverless-init-vulnerability-scan.yml diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml new file mode 100644 index 000000000..f3e7780a4 --- /dev/null +++ b/.github/workflows/serverless-init-vulnerability-scan.yml @@ -0,0 +1,89 @@ +name: "Serverless Init Vulnerability Scan" + +on: + schedule: + # daily at midnight + - cron: "0 0 * * *" + workflow_dispatch: + +env: + # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + +jobs: + trivy-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest serverless-init image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/serverless-init:latest" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan latest-alpine serverless-init image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/serverless-init:latest-alpine" + ignore-unfixed: true + exit-code: 1 + format: table + + grype-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest serverless-init image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/serverless-init:latest" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan latest-alpine serverless-init image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/serverless-init:latest-alpine" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + retry: + needs: [trivy-scans, grype-scans] + if: failure() && fromJSON(github.run_attempt) < 2 + runs-on: ubuntu-22.04 + permissions: + actions: write + steps: + - name: Retry failed action + env: + GH_REPO: ${{ github.repository }} + GH_TOKEN: ${{ github.token }} + run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} + + notify: + needs: [trivy-scans, grype-scans] + if: failure() && fromJSON(github.run_attempt) >= 2 + runs-on: ubuntu-22.04 + steps: + - name: Notify + env: + SLACK_CHANNEL: "#serverless-agent" + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + run: | + set -x + + OPS_MESSAGE=":gh-check-failed: Serverless Init Vulnerability Scan failed! :radar-scan: + + Whoever is on support, please fix the vulnerability, before a customer alerts us to it. + + See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:" + + curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ + "channel": "'"$SLACK_CHANNEL"'", + "text": "'"$OPS_MESSAGE"'" + }' \ No newline at end of file From f98cce7e044535a72a0fb363c3c2eb44fb1328eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Fri, 11 Jul 2025 11:31:35 -0700 Subject: [PATCH 3/6] add lambda vulnerability scans --- .github/workflows/vulnerability-scan.yml | 163 +++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 .github/workflows/vulnerability-scan.yml diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml new file mode 100644 index 000000000..9911593d6 --- /dev/null +++ b/.github/workflows/vulnerability-scan.yml @@ -0,0 +1,163 @@ +name: "Vulnerability Scan" + +on: + schedule: + # daily at midnight + - cron: "0 0 * * *" + workflow_dispatch: + +env: + VERSION: dev # env var required when building extension + # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + +jobs: + trivy-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest released image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "public.ecr.aws/datadog/lambda-extension:latest" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan latest-alpine released image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine" + ignore-unfixed: true + exit-code: 1 + format: table + + grype-scans: + runs-on: ubuntu-22.04 + steps: + - name: Scan latest release image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "public.ecr.aws/datadog/lambda-extension:latest" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan latest-alpine release image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "public.ecr.aws/datadog/lambda-extension:latest-alpine" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + build-and-binary-scans: + runs-on: ubuntu-22.04 + steps: + - name: Checkout datadog-agent repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + repository: DataDog/datadog-agent + path: go/src/github.com/DataDog/datadog-agent + + - name: Checkout datadog-lambda-extension repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + repository: DataDog/datadog-lambda-extension + path: go/src/github.com/DataDog/datadog-lambda-extension + + - name: Set up QEMU + id: qemu + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + with: + image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest + platforms: amd64,arm64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + + - name: Build extension + run: | + cd go/src/github.com/DataDog/datadog-lambda-extension + ./scripts/build_binary_and_layer_dockerized.sh + + - name: Scan amd64 image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan arm64 image with trivy + uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 + with: + image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan amd64 image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan arm64 image with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan binary files with grype + uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0 + with: + path: go/src/github.com/DataDog/datadog-lambda-extension/.layers + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + retry: + needs: [trivy-scans, grype-scans, build-and-binary-scans] + if: failure() && fromJSON(github.run_attempt) < 2 + runs-on: ubuntu-22.04 + permissions: + actions: write + steps: + - name: Retry failed action + env: + GH_REPO: ${{ github.repository }} + GH_TOKEN: ${{ github.token }} + run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} + + notify: + needs: [trivy-scans, grype-scans, build-and-binary-scans] + if: failure() && fromJSON(github.run_attempt) >= 2 + runs-on: ubuntu-22.04 + steps: + - name: Notify + env: + SLACK_CHANNEL: "#serverless-agent" + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + run: | + set -x + + OPS_MESSAGE=":gh-check-failed: Lambda Extension Vulnerability Scan failed! :radar-scan: + + Whoever is on support, please fix the vulnerability, before a customer alerts us to it. + + See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:" + + curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ + "channel": "'"$SLACK_CHANNEL"'", + "text": "'"$OPS_MESSAGE"'" + }' \ No newline at end of file From edd9c3a9675a27e53fbe53331ce4acc9f8ae77e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Fri, 11 Jul 2025 11:35:44 -0700 Subject: [PATCH 4/6] add `on: pull_request:` so we can test if tests work --- .github/workflows/serverless-init-vulnerability-scan.yml | 1 + .github/workflows/vulnerability-scan.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml index f3e7780a4..2f611be62 100644 --- a/.github/workflows/serverless-init-vulnerability-scan.yml +++ b/.github/workflows/serverless-init-vulnerability-scan.yml @@ -1,6 +1,7 @@ name: "Serverless Init Vulnerability Scan" on: + pull_request: schedule: # daily at midnight - cron: "0 0 * * *" diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 9911593d6..ffede9b41 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -1,6 +1,7 @@ name: "Vulnerability Scan" on: + pull_request: schedule: # daily at midnight - cron: "0 0 * * *" From be68aef918a85d8f722216a7f544a02ee905c748 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Mon, 14 Jul 2025 15:01:13 -0400 Subject: [PATCH 5/6] eol --- .github/workflows/serverless-init-vulnerability-scan.yml | 2 +- .github/workflows/vulnerability-scan.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml index 2f611be62..d3b03d615 100644 --- a/.github/workflows/serverless-init-vulnerability-scan.yml +++ b/.github/workflows/serverless-init-vulnerability-scan.yml @@ -87,4 +87,4 @@ jobs: curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ "channel": "'"$SLACK_CHANNEL"'", "text": "'"$OPS_MESSAGE"'" - }' \ No newline at end of file + }' diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index ffede9b41..d8665efe6 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -161,4 +161,4 @@ jobs: curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{ "channel": "'"$SLACK_CHANNEL"'", "text": "'"$OPS_MESSAGE"'" - }' \ No newline at end of file + }' From 45974905aee6288b3386f73b360652f2be59e8d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?jordan=20gonz=C3=A1lez?= <30836115+duncanista@users.noreply.github.com> Date: Mon, 14 Jul 2025 15:10:00 -0400 Subject: [PATCH 6/6] remove `on: pull_request:` --- .github/workflows/serverless-init-vulnerability-scan.yml | 1 - .github/workflows/vulnerability-scan.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml index d3b03d615..eccf2309c 100644 --- a/.github/workflows/serverless-init-vulnerability-scan.yml +++ b/.github/workflows/serverless-init-vulnerability-scan.yml @@ -1,7 +1,6 @@ name: "Serverless Init Vulnerability Scan" on: - pull_request: schedule: # daily at midnight - cron: "0 0 * * *" diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index d8665efe6..1d155dbe6 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -1,7 +1,6 @@ name: "Vulnerability Scan" on: - pull_request: schedule: # daily at midnight - cron: "0 0 * * *"