diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 7263add5c..f53672edd 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -7,13 +7,13 @@ on: workflow_dispatch: env: - VERSION: dev # env var required when building extension # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db jobs: trivy-scans: + name: Trivy Scans (latest) runs-on: ubuntu-22.04 steps: - name: Scan latest released image with trivy @@ -33,6 +33,7 @@ jobs: format: table grype-scans: + name: Grype Scans (latest) runs-on: ubuntu-22.04 steps: - name: Scan latest release image with grype @@ -53,81 +54,21 @@ jobs: severity-cutoff: low output-format: table - build-and-binary-scans: + rust-dependency-scan: + name: Rust Dependencies Scan runs-on: ubuntu-22.04 steps: - - name: Checkout datadog-agent repository - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1 - with: - repository: DataDog/datadog-agent - path: go/src/github.com/DataDog/datadog-agent - - - name: Checkout datadog-lambda-extension repository - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1 - with: - repository: DataDog/datadog-lambda-extension - path: go/src/github.com/DataDog/datadog-lambda-extension - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - with: - image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest - platforms: amd64,arm64 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - - - name: Build extension - run: | - cd go/src/github.com/DataDog/datadog-lambda-extension - ./scripts/build_binary_and_layer_dockerized.sh - - - name: Scan amd64 image with trivy - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 - with: - image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" - ignore-unfixed: true - exit-code: 1 - format: table + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Scan arm64 image with trivy - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + - name: Scan Rust dependencies with cargo-audit + uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: - image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" - ignore-unfixed: true - exit-code: 1 - format: table - - - name: Scan amd64 image with grype - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 - with: - image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan arm64 image with grype - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 - with: - image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table - - - name: Scan binary files with grype - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 - with: - path: go/src/github.com/DataDog/datadog-lambda-extension/.layers - only-fixed: true - fail-build: true - severity-cutoff: low - output-format: table + token: ${{ secrets.GITHUB_TOKEN }} + working-directory: bottlecap retry: - needs: [trivy-scans, grype-scans, build-and-binary-scans] + needs: [trivy-scans, grype-scans, rust-dependency-scan] if: failure() && fromJSON(github.run_attempt) < 2 runs-on: ubuntu-22.04 permissions: @@ -140,7 +81,7 @@ jobs: run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} notify: - needs: [trivy-scans, grype-scans, build-and-binary-scans] + needs: [trivy-scans, grype-scans, rust-dependency-scan] if: failure() && fromJSON(github.run_attempt) >= 2 runs-on: ubuntu-22.04 steps: