-
Notifications
You must be signed in to change notification settings - Fork 5
152 lines (130 loc) · 5.17 KB
/
serverless-vuln-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: "Serverless Vulnerability Scan"
on:
schedule:
# daily at midnight
- cron: "0 0 * * *"
workflow_dispatch:
env:
VERSION: 1 # env var required when building extension
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Fail fast
run: false
- name: Checkout datadog-agent repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-agent
path: go/src/github.com/DataDog/datadog-agent
- name: Checkout datadog-lambda-extension repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-lambda-extension
path: go/src/github.com/DataDog/datadog-lambda-extension
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Build extension
run: |
cd go/src/github.com/DataDog/datadog-lambda-extension
./scripts/build_binary_and_layer_dockerized.sh
- name: Scan amd64 image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan arm64 image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest released image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan latest-alpoine released image with trivy
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table
- name: Scan amd64 image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan arm64 image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest release image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "public.ecr.aws/datadog/lambda-extension:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan latest-alpine release image with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
- name: Scan binary files with grype
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
with:
path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table
retry:
needs: check
runs-on: ubuntu-latest
if: failure()
steps:
- name: Rerun failed jobs in the current workflow
env:
GH_TOKEN: ${{ github.token }}
run: |
job_id=$(gh run view ${{ github.run_id }} --repo DataDog/datadog-lambda-extension --json jobs --jq '.jobs[0] | .databaseId')
echo $job_id
gh run rerun ${{ github.run_id }} --failed --repo DataDog/datadog-lambda-extension --job $job_id
#notify:
# needs:
# - check
# - retry
# if: failure()
# runs-on: ubuntu-latest
# steps:
# - name: Notify
# env:
# SLACK_CHANNEL: "#serverless-agent"
# SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
# run: |
# set -x
# OPS_MESSAGE=":gh-check-failed: Serverless Vulnerability Scan failed! :radar-scan:
# Whoever is on support, please fix the vulnerability, before a customer alerts us to it.
# See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for the full info on the found vulnerability. :bufo-thanks:"
# curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" -d '{
# "channel": "'"$SLACK_CHANNEL"'",
# "text": "'"$OPS_MESSAGE"'"
# }'