Add image scanning (#136)

In this PR we are adding image scanning workflows. We are adding a daily
scanner that we will monitor and alarm on, as well as a scanner that can
be run per-PR/build/release. Further, we are adding post-release steps
to update the daily scanner to look at the latest released image.

Tested `sed` command used in `post_release_version_bump.yml` here:
https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/8530266063/job/23367719655?pr=137

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: thpierce

.github/actions/artifacts_build/action.yml

@@ -1,6 +1,7 @@
 name: Build and Push aws-opentelemetry-distro
 description: |
-  This action assumes that the repo was checked out. Builds and pushes/loads wheel and image files.
+  This action assumes that the repo was checked out. Builds and pushes/loads wheel and image files. Also performs scan
+  of the resultant image.
 
 inputs:
   aws-region:
@@ -90,4 +91,10 @@ runs:
         file: ./Dockerfile
         platforms: linux/amd64
         tags: ${{ inputs.image_uri_with_tag }}
-        load: ${{ inputs.load_image }}
+        load: ${{ inputs.load_image }}
+
+    - name: Perform image scan
+      uses: ./.github/actions/image_scan
+      with:
+        image-ref: ${{ inputs.image_uri_with_tag }}
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'

.github/actions/image_scan/action.yml

@@ -0,0 +1,33 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+name: image-scan
+description: |
+  This action performs a scan of a provided (local or public ECR remote) image, using Trivy.
+
+inputs:
+  image-ref:
+    required: true
+    description: "Reference for the image to be scanned"
+  severity:
+    required: true
+    description: "List of severities that will cause a failure"
+
+runs:
+  using: "composite"
+  steps:
+
+  # Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
+  # make unauthorized calls to get public ECR images (needed to build the ADOT Python docker image), but
+  # it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
+  # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
+  # PRs created from forked repos.
+  - name: Logout of public AWS ECR
+    shell: bash
+    run: docker logout public.ecr.aws
+
+  - name: Run Trivy vulnerability scanner on image
+    uses: aquasecurity/trivy-action@master
+    with:
+      image-ref: ${{ inputs.image-ref }}
+      severity: ${{ inputs.severity }}
+      exit-code: '1'

.github/workflows/post_release_version_bump.yml

@@ -40,7 +40,10 @@ jobs:
         run: |
           DEV_VERSION="${{ github.event.inputs.version }}.dev0"
           sed -i 's/__version__ = ".*"/__version__ = "'$DEV_VERSION'"/' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
+          VERSION="${{ github.event.inputs.version }}"
+          sed -i 's/python:v.*"/python:v'$VERSION'"/' .github/workflows/released_image_scan.yml
           git add aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
+          git add .github/workflows/released_image_scan.yml
           git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
           git push --set-upstream origin "prepare-main-for-next-dev-cycle-${VERSION}"
 
@@ -50,7 +53,7 @@ jobs:
         run: |
           DEV_VERSION="${{ github.event.inputs.version }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
-                       --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION.
+                       --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
           
           This PR should only be merge when release for version v$VERSION is success.
           

.github/workflows/pr_build.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Build Wheel and Image Files
         uses: ./.github/actions/artifacts_build
         with:
-          image_uri_with_tag: pr_build
+          image_uri_with_tag: pr_build/${{ matrix.python-version }}
           push_image: false
           load_image: true
           python_version: ${{ matrix.python-version }}

.github/workflows/release_build.yml

@@ -26,18 +26,10 @@ jobs:
       - name: Checkout Contrib Repo @ SHA - ${{ github.sha }}
         uses: actions/checkout@v4
 
-      # NOTE: do not set push_image to true for this step.
-      # Some of the required params below are set to dummy values
-      # as they are only used in the artifacts_build action when push_image is true,
-      # and setting them to some legit value might cause confusion
-      # to readers.
       - name: Build Wheel and Image Files
         uses: ./.github/actions/artifacts_build
         with:
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
           image_uri_with_tag: "adot-autoinstrumentation-python:test"
-          image_registry: "dummy-registry"
-          snapshot-ecr-role: "dummy-role"
           push_image: false
           load_image: false
           python_version: "3.10"

.github/workflows/released_image_scan.yml

@@ -0,0 +1,72 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+name: Released image scan
+description: |
+  Performs a daily scan of the latest released ADOT Python image. Publishes results to CloudWatch Metrics.
+
+on:
+  schedule:
+    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  workflow_dispatch: # be able to run the workflow on demand
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  scan_and_report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Perform high scan
+        id: high_scan
+        uses: ./.github/actions/image_scan
+        with:
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1"
+          severity: 'CRITICAL,HIGH'
+
+      - name: Perform low scan
+        if: always()
+        id: low_scan
+        uses: ./.github/actions/image_scan
+        with:
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1"
+          severity: 'MEDIUM,LOW,UNKNOWN'
+
+      - name: Configure AWS Credentials
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.E2E_SECRET_TEST_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Publish high scan status success
+        if: steps.high_scan.outcome == "success'
+        run: |
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_high \
+            --value 1.0
+
+      - name: Publish high scan status failure
+        if: steps.high_scan.outcome != 'success'
+        run: |
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_high \
+            --value 0.0
+
+      - name: Publish low scan status success
+        if: steps.low_scan.outcome == "success'
+        run: |
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_low \
+            --value 1.0
+
+      - name: Publish low scan status failure
+        if: steps.low_scan.outcome != 'success'
+        run: |
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_low \
+            --value 0.0