.github/workflows/serverless-vuln-scan.yml

name: "Serverless Vulnerability Scan"

on:
  schedule:
    # daily at midnight
    - cron: "0 0 * * *"

env:
  VERSION: 1  # env var required when building extension

jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout datadog-agent repository
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: DataDog/datadog-agent
          path: go/src/github.com/DataDog/datadog-agent

      - name: Checkout datadog-lambda-extension repository
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          repository: DataDog/datadog-lambda-extension
          path: go/src/github.com/DataDog/datadog-lambda-extension

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

      - name: Build extension
        run: |
          cd go/src/github.com/DataDog/datadog-lambda-extension
          ./scripts/build_binary_and_layer_dockerized.sh

      - name: Scan amd64 image with trivy
        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
        with:
          image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
          ignore-unfixed: true
          exit-code: 1
          format: table

      - name: Scan arm64 image with trivy
        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
        with:
          image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
          ignore-unfixed: true
          exit-code: 1
          format: table

      - name: Scan latest released image with trivy
        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
        with:
          image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
          ignore-unfixed: true
          exit-code: 1
          format: table

      - name: Scan latest-alpoine released image with trivy
        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
        with:
          image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
          ignore-unfixed: true
          exit-code: 1
          format: table

      - name: Scan amd64 image with grype
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

      - name: Scan arm64 image with grype
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

      - name: Scan latest release image with grype
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          image: "public.ecr.aws/datadog/lambda-extension:latest"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

      - name: Scan latest-alpine release image with grype
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table

      - name: Scan binary files with grype
        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
        with:
          path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
          only-fixed: true
          fail-build: true
          severity-cutoff: low
          output-format: table