fix(github): update vulnerability scans (#941)

duncanista · web-flow · commit fdcb0ee75032 · 2025-12-08T09:43:55.000-05:00
## Overview

Updates vulnerability scans to check on Rust binaries and dependencies

## Testing 

GH actions
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -7,13 +7,13 @@ on:
   workflow_dispatch:
 
 env:
-  VERSION: dev  # env var required when building extension
   # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
   TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
   TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
 jobs:
   trivy-scans:
+    name: Trivy Scans (latest)
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest released image with trivy
@@ -33,6 +33,7 @@ jobs:
           format: table
 
   grype-scans:
+    name: Grype Scans (latest)
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest release image with grype
@@ -53,81 +54,21 @@ jobs:
           severity-cutoff: low
           output-format: table
 
-  build-and-binary-scans:
+  rust-dependency-scan:
+    name: Rust Dependencies Scan
     runs-on: ubuntu-22.04
     steps:
-      - name: Checkout datadog-agent repository
-        uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
-        with:
-          repository: DataDog/datadog-agent
-          path: go/src/github.com/DataDog/datadog-agent
-
-      - name: Checkout datadog-lambda-extension repository
-        uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1
-        with:
-          repository: DataDog/datadog-lambda-extension
-          path: go/src/github.com/DataDog/datadog-lambda-extension
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-        with:
-          image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest
-          platforms: amd64,arm64
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
-
-      - name: Build extension
-        run: |
-          cd go/src/github.com/DataDog/datadog-lambda-extension
-          ./scripts/build_binary_and_layer_dockerized.sh
-
-      - name: Scan amd64 image with trivy
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-        with:
-          image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
-      - name: Scan arm64 image with trivy
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+      - name: Scan Rust dependencies with cargo-audit
+        uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
-          image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
-
-      - name: Scan amd64 image with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      - name: Scan arm64 image with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
-
-      - name: Scan binary files with grype
-        uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
-        with:
-          path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
-          only-fixed: true
-          fail-build: true
-          severity-cutoff: low
-          output-format: table
+          token: ${{ secrets.GITHUB_TOKEN }}
+          working-directory: bottlecap
 
   retry:
-    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    needs: [trivy-scans, grype-scans, rust-dependency-scan]
     if: failure() && fromJSON(github.run_attempt) < 2
     runs-on: ubuntu-22.04
     permissions:
@@ -140,7 +81,7 @@ jobs:
         run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
 
   notify:
-    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    needs: [trivy-scans, grype-scans, rust-dependency-scan]
     if: failure() && fromJSON(github.run_attempt) >= 2
     runs-on: ubuntu-22.04
     steps:
