Skip to content

Commit

Permalink
Add testing of serverless-init latest to vuln scanner. (#425)
Browse files Browse the repository at this point in the history 
* Add testing of serverless-init latest.

* Scan latest first because its faster.

* Quote image names.

* Scan serverless-init with grype.
  • Loading branch information
@purple4reina
purple4reina authored Oct 24, 2024
1 parent 527db82 commit 79ac1cc
Showing 1 changed file with 73 additions and 34 deletions.
107 changes: 73 additions & 34 deletions .github/workflows/serverless-vuln-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,89 +16,128 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout datadog-agent repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-agent
path: go/src/github.com/DataDog/datadog-agent

- name: Checkout datadog-lambda-extension repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-lambda-extension
path: go/src/github.com/DataDog/datadog-lambda-extension

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
# scan latest released images

- name: Build extension
run: |
cd go/src/github.com/DataDog/datadog-lambda-extension
./scripts/build_binary_and_layer_dockerized.sh
- name: Scan amd64 image with trivy
- name: Scan latest released image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan arm64 image with trivy
- name: Scan latest-alpoine released image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan latest released image with trivy
- name: Scan latest serverless-init image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
image-ref: "datadog/serverless-init:latest"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan latest-alpoine released image with trivy
- name: Scan latest-alpine serverless-init image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
image-ref: "datadog/serverless-init:latest-alpine"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan amd64 image with grype
- name: Scan latest release image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
image: "public.ecr.aws/datadog/lambda-extension:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table

- name: Scan arm64 image with grype
- name: Scan latest-alpine release image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table

- name: Scan latest release image with grype
- name: Scan latest serverless-init image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "public.ecr.aws/datadog/lambda-extension:latest"
image: "datadog/serverless-init:latest"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table

- name: Scan latest-alpine release image with grype
- name: Scan latest-alpine serverless-init image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
image: "datadog/serverless-init:latest-alpine"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table

# scan unreleased from main

- name: Checkout datadog-agent repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-agent
path: go/src/github.com/DataDog/datadog-agent

- name: Checkout datadog-lambda-extension repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: DataDog/datadog-lambda-extension
path: go/src/github.com/DataDog/datadog-lambda-extension

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

- name: Build extension
run: |
cd go/src/github.com/DataDog/datadog-lambda-extension
./scripts/build_binary_and_layer_dockerized.sh
- name: Scan amd64 image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan arm64 image with trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
ignore-unfixed: true
exit-code: 1
format: table

- name: Scan amd64 image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
output-format: table

- name: Scan arm64 image with grype
uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0
with:
image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
only-fixed: true
fail-build: true
severity-cutoff: low
Expand Down

0 comments on commit 79ac1cc

Please sign in to comment.