update vulnberability scans for rust binaries

Author: duncanista

.github/workflows/vulnerability-scan.yml

@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 
 env:
-  VERSION: dev  # env var required when building extension
   # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit
   TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
   TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
@@ -53,23 +52,29 @@ jobs:
           severity-cutoff: low
           output-format: table
 
-  build-and-binary-scans:
+  build-and-scan-images:
     runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            alpine: 0
+            suffix: amd64
+          - arch: amd64
+            alpine: 1
+            suffix: amd64-alpine
+          - arch: arm64
+            alpine: 0
+            suffix: arm64
+          - arch: arm64
+            alpine: 1
+            suffix: arm64-alpine
+      fail-fast: false
     steps:
-      - name: Checkout datadog-agent repository
+      - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          repository: DataDog/datadog-agent
-          path: go/src/github.com/DataDog/datadog-agent
-
-      - name: Checkout datadog-lambda-extension repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          repository: DataDog/datadog-lambda-extension
-          path: go/src/github.com/DataDog/datadog-lambda-extension
 
       - name: Set up QEMU
-        id: qemu
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         with:
           image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest
@@ -78,56 +83,76 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: Build extension
+      - name: Compile binary (${{ matrix.suffix }})
+        run: |
+          ARCHITECTURE=${{ matrix.arch }} ALPINE=${{ matrix.alpine }} FIPS=0 DEBUG=0 FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/compile_bottlecap.sh
+        env:
+          DOCKER_BUILDKIT: 1
+
+      - name: Build layer (${{ matrix.suffix }})
         run: |
-          cd go/src/github.com/DataDog/datadog-lambda-extension
-          ./scripts/build_binary_and_layer_dockerized.sh
+          ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh
+        env:
+          DOCKER_BUILDKIT: 1
 
-      - name: Scan amd64 image with trivy
+      - name: Scan layer image with trivy
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         with:
-          image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
+          image-ref: "datadog/build-extension-${{ matrix.suffix }}"
           ignore-unfixed: true
           exit-code: 1
           format: table
 
-      - name: Scan arm64 image with trivy
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+      - name: Scan layer image with grype
+        uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
         with:
-          image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
-          ignore-unfixed: true
-          exit-code: 1
-          format: table
+          image: "datadog/build-extension-${{ matrix.suffix }}"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
 
-      - name: Scan amd64 image with grype
+      - name: Scan binary file with grype
         uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
         with:
-          image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}"
+          path: .binaries/bottlecap-${{ matrix.suffix }}
           only-fixed: true
           fail-build: true
           severity-cutoff: low
           output-format: table
 
-      - name: Scan arm64 image with grype
+      - name: Scan layer files with grype
         uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
         with:
-          image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}"
+          path: .layers/datadog_extension-${{ matrix.suffix }}
           only-fixed: true
           fail-build: true
           severity-cutoff: low
           output-format: table
 
-      - name: Scan binary files with grype
+      # Scan the compile image only once (it's the same for all variants)
+      # Only run for the first matrix job to avoid redundant scans
+      - name: Scan compile image with trivy
+        if: matrix.suffix == 'amd64'
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: "datadog/compile-bottlecap"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan compile image with grype
+        if: matrix.suffix == 'amd64'
         uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0
         with:
-          path: go/src/github.com/DataDog/datadog-lambda-extension/.layers
+          image: "datadog/compile-bottlecap"
           only-fixed: true
           fail-build: true
           severity-cutoff: low
           output-format: table
 
   retry:
-    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    needs: [trivy-scans, grype-scans, build-and-scan-images]
     if: failure() && fromJSON(github.run_attempt) < 2
     runs-on: ubuntu-22.04
     permissions:
@@ -140,7 +165,7 @@ jobs:
         run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
 
   notify:
-    needs: [trivy-scans, grype-scans, build-and-binary-scans]
+    needs: [trivy-scans, grype-scans, build-and-scan-images]
     if: failure() && fromJSON(github.run_attempt) >= 2
     runs-on: ubuntu-22.04
     steps: