Skip to content

Serverless Vulnerability Scan #150

Serverless Vulnerability Scan

Serverless Vulnerability Scan #150

name: "Serverless Vulnerability Scan"
on:
schedule:
# daily at midnight
- cron: "0 0 * * *"
workflow_dispatch:
env:
VERSION: 1 # env var required when building extension
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout datadog-agent repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-agent
path: go/src/github.com/DataDog/datadog-agent
- name: Checkout datadog-lambda-extension repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-lambda-extension
path: go/src/github.com/DataDog/datadog-lambda-extension
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Build extension
run: |
cd go/src/github.com/DataDog/datadog-lambda-extension
./scripts/build_binary_and_layer_dockerized.sh
- name: Scan amd64 image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan arm64 image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest released image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest-alpoine released image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan amd64 image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan arm64 image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest release image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "public.ecr.aws/datadog/lambda-extension:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest-alpine release image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan binary files with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
notify:
needs: check
if: failure()
runs-on: ubuntu-latest
steps:
- name: Notify
env:
SLACK_CHANNEL: "#serverless-agent"
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
run: |
set -x
OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan:
Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
"channel": "'"$SLACK_CHANNEL"'",
"text": "'"$OPS_MESSAGE"'"
}'