remove redundancy in scanning

duncanista · duncanista · commit 555053be583a · 2025-12-08T08:55:09.000-05:00
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -68,93 +68,27 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           working-directory: bottlecap
 
-  build-and-scan-images:
-    name: Build and Scan Images (${{ matrix.name }})
+  # Scan the compile image for vulnerabilities in build dependencies.
+  # The final extension images are FROM scratch (just binaries), so scanning
+  # them is redundant - Rust deps are covered by cargo-audit above, and
+  # released images are scanned separately.
+  compile-image-scan:
+    name: Compiled Image Scan
     runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        include:
-          - name: amd64
-            arch: amd64
-            alpine: 0
-            suffix: amd64
-          - name: amd64-alpine
-            arch: amd64
-            alpine: 1
-            suffix: amd64-alpine
-          - name: arm64
-            arch: arm64
-            alpine: 0
-            suffix: arm64
-          - name: arm64-alpine
-            arch: arm64
-            alpine: 1
-            suffix: arm64-alpine
-      fail-fast: false
     steps:
       - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-        with:
-          image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest
-          platforms: amd64,arm64
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: Compile binary (${{ matrix.suffix }})
+      - name: Build compile image
         run: |
-          ARCHITECTURE=${{ matrix.arch }} ALPINE=${{ matrix.alpine }} FIPS=0 DEBUG=0 FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/compile_bottlecap.sh
+          ARCHITECTURE=amd64 ALPINE=0 FIPS=0 DEBUG=0 FILE_SUFFIX=amd64 ./.gitlab/scripts/compile_bottlecap.sh
         env:
           DOCKER_BUILDKIT: 1
 
-      - name: Build layer (${{ matrix.suffix }})
-        run: |
-          COMPRESSER_IMAGE=ubuntu:22.04 ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh
-        env:
-          DOCKER_BUILDKIT: 1
-
-      - name: Scan layer image with trivy
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-        with:
-          image-ref: "datadog/build-extension-${{ matrix.suffix }}"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
-
-      - name: Scan layer image with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          image: "datadog/build-extension-${{ matrix.suffix }}"
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      - name: Scan binary file with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          path: .binaries/bottlecap-${{ matrix.suffix }}
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      - name: Scan layer files with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          path: .layers/datadog_extension-${{ matrix.suffix }}
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      # Scan the compile image only once (it's the same for all variants)
-      # Only run for the first matrix job to avoid redundant scans
       - name: Scan compile image with trivy
-        if: matrix.suffix == 'amd64'
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         with:
           image-ref: "datadog/compile-bottlecap"
@@ -163,8 +97,7 @@ jobs:
           format: table
 
       - name: Scan compile image with grype
-        if: matrix.suffix == 'amd64'
-        uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
+        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
         with:
           image: "datadog/compile-bottlecap"
           only-fixed: true
@@ -173,7 +106,7 @@ jobs:
           output-format: table
 
   retry:
-    needs: [trivy-scans, grype-scans, rust-dependency-scan, build-and-scan-images]
+    needs: [trivy-scans, grype-scans, rust-dependency-scan, compile-image-scan]
     if: failure() && fromJSON(github.run_attempt) < 2
     runs-on: ubuntu-22.04
     permissions:
@@ -186,7 +119,7 @@ jobs:
         run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
 
   notify:
-    needs: [trivy-scans, grype-scans, rust-dependency-scan, build-and-scan-images]
+    needs: [trivy-scans, grype-scans, rust-dependency-scan, compile-image-scan]
     if: failure() && fromJSON(github.run_attempt) >= 2
     runs-on: ubuntu-22.04
     steps:
diff --git a/images/Dockerfile.build_layer b/images/Dockerfile.build_layer
@@ -1,5 +1,4 @@
-ARG COMPRESSER_IMAGE=registry.ddbuild.io/images/mirror/ubuntu:22.04
-FROM $COMPRESSER_IMAGE AS compresser
+FROM registry.ddbuild.io/images/mirror/ubuntu:22.04 AS compresser
 ARG DATADOG_WRAPPER=datadog_wrapper
 ARG FILE_SUFFIX
 
