Skip to content

Daily scan

Daily scan #45

Workflow file for this run

## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
# Performs a daily scan of:
# * The latest released ADOT Python image, using Trivy
# * Project dependencies, using DependencyCheck
#
# Publishes results to CloudWatch Metrics.
name: Daily scan
on:
schedule:
- cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
workflow_dispatch: # be able to run the workflow on demand
env:
AWS_DEFAULT_REGION: us-east-1
permissions:
id-token: write
contents: read
jobs:
scan_and_report:
runs-on: ubuntu-latest
steps:
- name: Checkout repo for dependency scan
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python for dependency scan
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Create requirements.txt for dependency scan
run: |
python -m venv env
source env/bin/activate
pip install aws-opentelemetry-distro/
pip freeze > aws-opentelemetry-distro/requirements.txt
less aws-opentelemetry-distro/requirements.txt
- name: Install java for dependency scan
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
- name: Configure AWS credentials for dependency scan
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Get NVD API key for dependency scan
uses: aws-actions/aws-secretsmanager-get-secrets@v1
id: nvd_api_key
with:
secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
parse-json-secrets: true
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
- name: Install and run dependency scan
id: dep_scan
if: always()
run: |
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt)
curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
gpg --verify dependency-check.zip.asc
unzip dependency-check.zip
./dependency-check/bin/dependency-check.sh --enableExperimental --suppression .github/dependency-check-suppressions.xml --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s aws-opentelemetry-distro/
- name: Print dependency scan results on failure
if: ${{ steps.dep_scan.outcome != 'success' }}
run: less dependency-check-report.html
- name: Perform high image scan
if: always()
id: high_scan
uses: ./.github/actions/image_scan
with:
image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.1.0"
severity: 'CRITICAL,HIGH'
- name: Perform low image scan
if: always()
id: low_scan
uses: ./.github/actions/image_scan
with:
image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.1.0"
severity: 'MEDIUM,LOW,UNKNOWN'
- name: Configure AWS Credentials for emitting metrics
if: always()
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Publish high scan status
if: always()
run: |
value="${{ steps.high_scan.outcome == 'success' && '1.0' || '0.0' }}"
aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
--value $value
# DependencyCheck for Python is experimental and prone to false positives. Until it is stable, use only for low monitoring.
- name: Publish low scan status
if: always()
run: |
value="${{ steps.low_scan.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
--value $value