aws-otel-java-instrumentation/.github/workflows/daily-scan.yml at aaec1ded77639ecfdfd1729e8a30fc40dbfaba8a · aws-observability/aws-otel-java-instrumentation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
# Performs a daily scan of:
# * The latest released ADOT Java image, using Trivy
# * Project dependencies, using DependencyCheck
#
#  Publishes results to CloudWatch Metrics.
name: Daily scan

on:
  schedule:
    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
  workflow_dispatch: # be able to run the workflow on demand

env:
  AWS_DEFAULT_REGION: us-east-1

permissions:
  id-token: write
  contents: read

jobs:
  scan_and_report:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo for dependency scan
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
        with:
          fetch-depth: 0

      - name: Set up Java for dependency scan
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: 17
          distribution: 'temurin'

      - name: Configure AWS credentials for dependency scan
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
        with:
          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}

      - name: Get NVD API key for dependency scan
        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
        id: nvd_api_key
        with:
          secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
          parse-json-secrets: true

      - name: Publish patched dependencies to maven local
        uses: ./.github/actions/patch-dependencies

      - name: Build JAR
        uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
        with:
          arguments: assemble -PlocalDocker=true

      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
      - name: Install and run dependency scan
        id: dep_scan
        if: always()
        uses: ./.github/actions/execute_and_retry
        with:
          command: 'gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED &&
                    VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1) &&
                    curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip &&
                    curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc &&
                    gpg --verify dependency-check.zip.asc &&
                    unzip dependency-check.zip &&
                    ./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "otelagent/build/libs/aws-opentelemetry-agent-*-SNAPSHOT.jar"'
          cleanup: 'rm -f ./dependency-check.zip && rm -f ./dependency-check.zip.asc && rm -rf ./dependency-check || true'
          max_retry: 5
          sleep_time: 60

      - name: Print dependency scan results on failure
        if: ${{ steps.dep_scan.outcome != 'success' }}
        run: less dependency-check-report.html

      - name: Configure AWS credentials for image scan
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}

      - name: Login to Public ECR
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
        with:
          registry: public.ecr.aws

      - name: Perform high image scan on v1
        if: always()
        id: high_scan_v1
        uses: ./.github/actions/image_scan
        with:
          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
          severity: 'CRITICAL,HIGH'

      - name: Perform low image scan on v1
        if: always()
        id: low_scan_v1
        uses: ./.github/actions/image_scan
        with:
          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
          severity: 'MEDIUM,LOW,UNKNOWN'

      - name: Perform high image scan on v2
        if: always()
        id: high_scan_v2
        uses: ./.github/actions/image_scan
        with:
          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1"
          severity: 'CRITICAL,HIGH'

      - name: Perform low image scan on v2
        if: always()
        id: low_scan_v2
        uses: ./.github/actions/image_scan
        with:
          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1"
          severity: 'MEDIUM,LOW,UNKNOWN'

      - name: Configure AWS Credentials for emitting metrics
        if: always()
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
        with:
          role-to-assume: ${{ secrets.METRICS_ROLE_ARN }}
          aws-region:  ${{ env.AWS_DEFAULT_REGION }}

      - name: Publish high scan status on v1
        if: always()
        run: |
          value="${{ steps.high_scan_v1.outcome == 'success' && '1.0' || '0.0' }}"
          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
            --value $value

      - name: Publish high scan status on v2
        if: always()
        run: |
          value="${{ steps.high_scan_v2.outcome == 'success' && '1.0' || '0.0' }}"
          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
            --value $value

      - name: Publish low scan status on v1
        if: always()
        run: |
          value="${{ steps.low_scan_v1.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
            --value $value

      - name: Publish low scan status on v2
        if: always()
        run: |
          value="${{ steps.low_scan_v2.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
            --value $value