aws-xray-sdk-python/.github/workflows/daily-scan.yml at master · aws/aws-xray-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
# Performs a daily scan of:
# * The X-Ray Python SDK published artifact dependencies, using Trivy
# * Project dependencies, using DependencyCheck
#
#  Publishes results to CloudWatch Metrics.
name: Daily scan

on:
  schedule: # scheduled to run every 6 hours
    - cron: '20 */6 * * *' #  "At minute 20 past every 6th hour."
  workflow_dispatch: # be able to run the workflow on demand

env:
  AWS_DEFAULT_REGION: us-east-1

permissions:
  id-token: write
  contents: read

jobs:
  scan_and_report:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo for dependency scan
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
        with:
          fetch-depth: 0

      - name: Setup Python for dependency scan
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
        with:
          python-version: '3.x'

      - name: Install published package for scanning
        run: |
          mkdir -p scan-target
          python -m venv scan-venv
          source scan-venv/bin/activate
          pip install aws-xray-sdk
          pip freeze > scan-target/requirements.txt

      - name: Install Java for dependency scan
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
        with:
          java-version: 17
          distribution: 'temurin'

      - name: Configure AWS credentials for dependency scan
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
        with:
          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}

      - name: Get secrets for dependency scan
        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
        id: nvd_api_key
        with:
          secret-ids: |
            ${{ secrets.NVD_API_KEY_SECRET_ARN }}
            OSS_INDEX, ${{ secrets.OSS_INDEX_SECRET_ARN }}
          parse-json-secrets: true

      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
      - name: Install and run dependency scan
        id: dep_scan
        if: always()
        run: |
          gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
          gpg --verify dependency-check.zip.asc
          unzip dependency-check.zip
          ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} --suppression .github/dependency-check-suppressions.xml -s "scan-target/"

      - name: Print dependency scan results on failure
        if: ${{ steps.dep_scan.outcome != 'success' }}
        run: less dependency-check-report.html

      - name: Perform high severity scan on published artifact dependencies
        if: always()
        id: high_scan_latest
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
        with:
          scan-type: 'fs'
          scan-ref: 'scan-target/'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
          scanners: 'vuln'
        env:
          TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml

      - name: Perform low severity scan on published artifact dependencies
        if: always()
        id: low_scan_latest
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
        with:
          scan-type: 'fs'
          scan-ref: 'scan-target/'
          severity: 'MEDIUM,LOW,UNKNOWN'
          exit-code: '1'
          scanners: 'vuln'
        env:
          TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml

      - name: Configure AWS Credentials for emitting metrics
        if: always()
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
        with:
          role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}

      - name: Publish high scan status
        if: always()
        run: |
          value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
          aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
            --value $value

      - name: Publish low scan status
        if: always()
        run: |
          value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
          aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
            --metric-name Success \
            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
            --value $value