Skip to content

Serverless Vulnerability Scan #195

Serverless Vulnerability Scan

Serverless Vulnerability Scan #195

name: "Serverless Vulnerability Scan"
on:
schedule:
# daily at midnight
- cron: "0 0 * * *"
workflow_dispatch:
env:
VERSION: 1 # env var required when building extension
# adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
jobs:
check:
runs-on: ubuntu-latest
steps:
# scan latest released images
- name: Scan latest released image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest-alpine released image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest serverless-init image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/serverless-init:latest"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest-alpine serverless-init image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/serverless-init:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest release image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "public.ecr.aws/datadog/lambda-extension:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest-alpine release image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest serverless-init image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "datadog/serverless-init:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest-alpine serverless-init image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "datadog/serverless-init:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
# scan unreleased from main
- name: Checkout datadog-agent repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-agent
path: go/src/github.com/DataDog/datadog-agent
- name: Checkout datadog-lambda-extension repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-lambda-extension
path: go/src/github.com/DataDog/datadog-lambda-extension
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Build extension
run: |
cd go/src/github.com/DataDog/datadog-lambda-extension
./scripts/build_binary_and_layer_dockerized.sh
- name: Scan amd64 image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan arm64 image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan amd64 image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan arm64 image with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan binary files with grype
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
with:
path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
retry:
needs: check
if: failure() && fromJSON(github.run_attempt) < 2
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- name: Retry failed action
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
notify:
needs: check
if: failure() && fromJSON(github.run_attempt) >= 2
runs-on: ubuntu-latest
steps:
- name: Notify
env:
SLACK_CHANNEL: "#serverless-agent"
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
run: |
set -x
OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan:
Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
"channel": "'"$SLACK_CHANNEL"'",
"text": "'"$OPS_MESSAGE"'"
}'