Add comprehensive security scanning workflows

Luke Zhang · Luke Zhang · commit 2c2c9591800b · 2025-09-23T13:40:16.000-07:00
This commit implements complete security scanning for aws-xray-daemon:

- CodeQL analysis for Go code security scanning with security-extended queries
- Runs on PR/push and weekly schedule
- Proper timeouts and job dependencies for reliability

- Scans published Docker images from public.ecr.aws and DockerHub twice daily
- Detects new vulnerabilities in existing published images
- Focuses on HIGH/CRITICAL severity issues requiring immediate action
- Generates actionable summary reports with error handling
- Continues on error to handle image availability issues

- Comprehensive coverage: source code, dependencies, containers, published images
- Security-focused: commit hashes, proper permissions, categorized results
- Production-ready: matches published Docker builds exactly, uses correct Go version (1.23)
- Robust: proper timeouts, error handling, and job dependencies
- Actionable: clear reporting and GitHub Security tab integration

Addresses the critical security gap where aws-xray-daemon had no automated
security scanning despite being critical infrastructure used in production.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,44 @@
+name: "CodeQL Security Analysis"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    # Run CodeQL analysis weekly on Mondays at 2 AM UTC
+    - cron: '0 2 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      with:
+        languages: ${{ matrix.language }}
+        # Override default queries to include security-extended for more comprehensive analysis
+        queries: security-extended,security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      with:
+        category: "/language:${{matrix.language}}"
+        upload: false  # Don't upload to avoid conflict with default setup
+
diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
@@ -0,0 +1,73 @@
+name: "Daily Security Scan"
+
+on:
+  schedule:
+    # Run twice daily at 6 AM and 6 PM UTC
+    - cron: '0 6,18 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan-published-images:
+    name: Scan Published Docker Images
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: public.ecr.aws/xray/aws-xray-daemon:latest
+            name: ecr
+          - image: amazon/aws-xray-daemon:latest
+            name: dockerhub
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Run Trivy vulnerability scanner on published image
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b9c9a2fa0 # v0.24.0
+      continue-on-error: true
+      timeout-minutes: 15
+      with:
+        image-ref: ${{ matrix.image }}
+        format: 'sarif'
+        output: 'trivy-${{ matrix.name }}-results.sarif'
+        # Scan for all vulnerability types including OS packages
+        vuln-type: 'os,library'
+        # Include high and critical severities
+        severity: 'HIGH,CRITICAL'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+      if: always()
+      with:
+        sarif_file: 'trivy-${{ matrix.name }}-results.sarif'
+        category: 'daily-scan-${{ matrix.name }}'
+
+    - name: Generate summary report
+      if: always()
+      run: |
+        echo "## Daily Security Scan Results for ${{ matrix.image }}" >> $GITHUB_STEP_SUMMARY
+        echo "Scan completed at $(date)" >> $GITHUB_STEP_SUMMARY
+        echo "Image: ${{ matrix.image }}" >> $GITHUB_STEP_SUMMARY
+        echo "Registry: ${{ matrix.name }}" >> $GITHUB_STEP_SUMMARY
+        
+        # Check if vulnerabilities were found
+        if [ -f "trivy-${{ matrix.name }}-results.sarif" ]; then
+          VULN_COUNT=$(jq '.runs[0].results | length' trivy-${{ matrix.name }}-results.sarif 2>/dev/null || echo "0")
+          echo "Vulnerabilities found: $VULN_COUNT" >> $GITHUB_STEP_SUMMARY
+          
+          if [ "$VULN_COUNT" -gt "0" ]; then
+            echo "⚠️ **Action Required**: Vulnerabilities detected in published image" >> $GITHUB_STEP_SUMMARY
+            echo "Check the Security tab for detailed findings" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "✅ No high/critical vulnerabilities found" >> $GITHUB_STEP_SUMMARY
+          fi
+        else
+          echo "❌ Scan failed or image not accessible" >> $GITHUB_STEP_SUMMARY
+        fi
