diff --git a/.github/workflows/serverless-vuln-scan.yml b/.github/workflows/serverless-vuln-scan.yml index 41ae3adc..6f0d4a17 100644 --- a/.github/workflows/serverless-vuln-scan.yml +++ b/.github/workflows/serverless-vuln-scan.yml @@ -16,89 +16,128 @@ jobs: check: runs-on: ubuntu-latest steps: - - name: Checkout datadog-agent repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - repository: DataDog/datadog-agent - path: go/src/github.com/DataDog/datadog-agent - - name: Checkout datadog-lambda-extension repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - repository: DataDog/datadog-lambda-extension - path: go/src/github.com/DataDog/datadog-lambda-extension - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + # scan latest released images - - name: Build extension - run: | - cd go/src/github.com/DataDog/datadog-lambda-extension - ./scripts/build_binary_and_layer_dockerized.sh - - - name: Scan amd64 image with trivy + - name: Scan latest released image with trivy uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + image-ref: "public.ecr.aws/datadog/lambda-extension:latest" ignore-unfixed: true exit-code: 1 format: table - - name: Scan arm64 image with trivy + - name: Scan latest-alpoine released image with trivy uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine" ignore-unfixed: true exit-code: 1 format: table - - name: Scan latest released image with trivy + - name: Scan latest serverless-init image with trivy uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - image-ref: "public.ecr.aws/datadog/lambda-extension:latest" + image-ref: "datadog/serverless-init:latest" ignore-unfixed: true exit-code: 1 format: table - - name: Scan latest-alpoine released image with trivy + - name: Scan latest-alpine serverless-init image with trivy uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: - image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine" + image-ref: "datadog/serverless-init:latest-alpine" ignore-unfixed: true exit-code: 1 format: table - - name: Scan amd64 image with grype + - name: Scan latest release image with grype uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 with: - image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + image: "public.ecr.aws/datadog/lambda-extension:latest" only-fixed: true fail-build: true severity-cutoff: low output-format: table - - name: Scan arm64 image with grype + - name: Scan latest-alpine release image with grype uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 with: - image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + image: "public.ecr.aws/datadog/lambda-extension:latest-alpine" only-fixed: true fail-build: true severity-cutoff: low output-format: table - - name: Scan latest release image with grype + - name: Scan latest serverless-init image with grype uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 with: - image: "public.ecr.aws/datadog/lambda-extension:latest" + image: "datadog/serverless-init:latest" only-fixed: true fail-build: true severity-cutoff: low output-format: table - - name: Scan latest-alpine release image with grype + - name: Scan latest-alpine serverless-init image with grype uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 with: - image: "public.ecr.aws/datadog/lambda-extension:latest-alpine" + image: "datadog/serverless-init:latest-alpine" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + # scan unreleased from main + + - name: Checkout datadog-agent repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + repository: DataDog/datadog-agent + path: go/src/github.com/DataDog/datadog-agent + + - name: Checkout datadog-lambda-extension repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + repository: DataDog/datadog-lambda-extension + path: go/src/github.com/DataDog/datadog-lambda-extension + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + + - name: Build extension + run: | + cd go/src/github.com/DataDog/datadog-lambda-extension + ./scripts/build_binary_and_layer_dockerized.sh + + - name: Scan amd64 image with trivy + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan arm64 image with trivy + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan amd64 image with grype + uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 + with: + image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + - name: Scan arm64 image with grype + uses: anchore/scan-action@ef0b0b023552a0c077534074723a9915280284bb # v5.1.0 + with: + image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" only-fixed: true fail-build: true severity-cutoff: low