add daily scan (#263)

ezhang6811 · yiyuan-he · web-flow · commit 1fa410fd5fc4 · 2026-02-20T12:20:16.000-08:00
* migrate from aws sdk go v1 to v2 * remove unit tests that are not compatible with aws sdk go v2 * fix: address formatting, logging, and documentation review comments * change telemetry to use [].types.TelemetryRecord instead of []*types.TelemetryRecord * refactor: change batch processor to use [] string instead of []*string * refactor create constants for AWS partition identifiers * feat: add ISO region support with constants for partitions and domains * docs: add comment explaining manual payload hash calculation for SDK v2 * docs: clarify empty endpoint behavior in AWS config * refactor: simplify STS assume role implementation to align with OTel * add SDK v2 compatible tests for conn package * add credentials cache for thread-safe credential management * fix indentation in telemetry.go * remove unused getPartition() function * fix IMDS errors in on-premise environments for aws sdk go v2 migration * add codeql and daily scan workflows * remove codeql and fix daily scan role * fix dependency scan * have all steps run and use trivy action * fix image scans * fix metric publishing step * update to run once a day * remove unnecessary step * remove test trigger * update metric publishing * align format with adot daily scans * update cadence * test * Revert "test" This reverts commit 738732f. --------- Co-authored-by: Michael He <yiyuanh@iusevimbtw.com> Co-authored-by: Michael He <53622546+yiyuan-he@users.noreply.github.com>
diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
@@ -0,0 +1,120 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+# Performs a daily scan of:
+# * The latest released X-Ray daemon image, using Trivy
+# * Project dependencies, using DependencyCheck
+#
+#  Publishes results to CloudWatch Metrics.
+name: Daily scan
+
+on:
+  schedule: # scheduled to run every 6 hours
+    - cron: '45 */6 * * *' #  "At minute 45 past every 6th hour."
+  workflow_dispatch: # be able to run the workflow on demand
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  scan_and_report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo for dependency scan
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go for dependency scan
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: go.mod
+
+      - name: Configure AWS credentials for dependency scan
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
+        with:
+          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get NVD API key for dependency scan
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
+        id: nvd_api_key
+        with:
+          secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
+          parse-json-secrets: true
+
+      - name: Cache Go modules
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Build binary
+        run: make build
+        env:
+          VERSION: 0.${{ github.sha }}
+
+      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
+      - name: Install and run dependency scan
+        id: dep_scan
+        if: always()
+        run: |
+          gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
+          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
+          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
+          gpg --verify dependency-check.zip.asc
+          unzip dependency-check.zip
+          ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "."
+
+      - name: Print dependency scan results on failure
+        if: ${{ steps.dep_scan.outcome != 'success' }}
+        run: less dependency-check-report.html
+
+      - name: Perform high image scan on latest
+        if: always()
+        id: high_scan_latest
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
+        with:
+          image-ref: 'public.ecr.aws/xray/aws-xray-daemon:latest'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Perform low image scan on latest
+        if: always()
+        id: low_scan_latest
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
+        with:
+          image-ref: 'public.ecr.aws/xray/aws-xray-daemon:latest'
+          severity: 'MEDIUM,LOW,UNKNOWN'
+          exit-code: '1'
+
+      - name: Configure AWS Credentials for emitting metrics
+        if: always()
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
+        with:
+          role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Publish high scan status on latest
+        if: always()
+        run: |
+          value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
+          aws cloudwatch put-metric-data --namespace 'MonitorDaemon' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
+            --value $value
+
+      - name: Publish low scan status on latest
+        if: always()
+        run: |
+          value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
+          aws cloudwatch put-metric-data --namespace 'MonitorDaemon' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
+            --value $value
