From ed1370880b40ade0375f9e610f9ffae05a23522c Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:31:09 -0500 Subject: [PATCH 1/5] fix merge issues --- .github/workflows/vulnerability-scan.yml | 93 +++++++++++++++--------- 1 file changed, 59 insertions(+), 34 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 7263add5c..adfd9a82c 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -7,7 +7,6 @@ on: workflow_dispatch: env: - VERSION: dev # env var required when building extension # adds public.ecr.aws as fallback incase rate limit on ghcr.io is hit TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db @@ -53,23 +52,29 @@ jobs: severity-cutoff: low output-format: table - build-and-binary-scans: + build-and-scan-images: runs-on: ubuntu-22.04 + strategy: + matrix: + include: + - arch: amd64 + alpine: 0 + suffix: amd64 + - arch: amd64 + alpine: 1 + suffix: amd64-alpine + - arch: arm64 + alpine: 0 + suffix: arm64 + - arch: arm64 + alpine: 1 + suffix: arm64-alpine + fail-fast: false steps: - - name: Checkout datadog-agent repository - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1 - with: - repository: DataDog/datadog-agent - path: go/src/github.com/DataDog/datadog-agent - - - name: Checkout datadog-lambda-extension repository - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # v5.0.1 - with: - repository: DataDog/datadog-lambda-extension - path: go/src/github.com/DataDog/datadog-lambda-extension + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Set up QEMU - id: qemu uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: image: tonistiigi/binfmt:qemu-v9.2.2-52 #v3.6.0 latest @@ -78,56 +83,76 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - - name: Build extension + - name: Compile binary (${{ matrix.suffix }}) run: | - cd go/src/github.com/DataDog/datadog-lambda-extension - ./scripts/build_binary_and_layer_dockerized.sh + ARCHITECTURE=${{ matrix.arch }} ALPINE=${{ matrix.alpine }} FIPS=0 DEBUG=0 FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/compile_bottlecap.sh + env: + DOCKER_BUILDKIT: 1 - - name: Scan amd64 image with trivy - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 - with: - image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" - ignore-unfixed: true - exit-code: 1 - format: table + - name: Build layer (${{ matrix.suffix }}) + run: | + ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh + env: + DOCKER_BUILDKIT: 1 - - name: Scan arm64 image with trivy + - name: Scan layer image with trivy uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 with: - image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + image-ref: "datadog/build-extension-${{ matrix.suffix }}" ignore-unfixed: true exit-code: 1 format: table - - name: Scan amd64 image with grype + - name: Scan layer image with grype uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 with: - image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" + image: "datadog/build-extension-${{ matrix.suffix }}" only-fixed: true fail-build: true severity-cutoff: low output-format: table - - name: Scan arm64 image with grype + - name: Scan binary file with grype uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 with: - image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" + path: .binaries/bottlecap-${{ matrix.suffix }} only-fixed: true fail-build: true severity-cutoff: low output-format: table - - name: Scan binary files with grype + - name: Scan layer files with grype uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1 with: - path: go/src/github.com/DataDog/datadog-lambda-extension/.layers + path: .layers/datadog_extension-${{ matrix.suffix }} + only-fixed: true + fail-build: true + severity-cutoff: low + output-format: table + + # Scan the compile image only once (it's the same for all variants) + # Only run for the first matrix job to avoid redundant scans + - name: Scan compile image with trivy + if: matrix.suffix == 'amd64' + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + with: + image-ref: "datadog/compile-bottlecap" + ignore-unfixed: true + exit-code: 1 + format: table + + - name: Scan compile image with grype + if: matrix.suffix == 'amd64' + uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0 + with: + image: "datadog/compile-bottlecap" only-fixed: true fail-build: true severity-cutoff: low output-format: table retry: - needs: [trivy-scans, grype-scans, build-and-binary-scans] + needs: [trivy-scans, grype-scans, build-and-scan-images] if: failure() && fromJSON(github.run_attempt) < 2 runs-on: ubuntu-22.04 permissions: @@ -140,7 +165,7 @@ jobs: run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} notify: - needs: [trivy-scans, grype-scans, build-and-binary-scans] + needs: [trivy-scans, grype-scans, build-and-scan-images] if: failure() && fromJSON(github.run_attempt) >= 2 runs-on: ubuntu-22.04 steps: From 30fac2428ea4ac51d09d1c033aa11bcf110a96f7 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Fri, 21 Nov 2025 09:54:09 -0500 Subject: [PATCH 2/5] add rust dependency scan --- .github/workflows/vulnerability-scan.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index adfd9a82c..b811cc357 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -52,6 +52,18 @@ jobs: severity-cutoff: low output-format: table + rust-dependency-scan: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + + - name: Scan Rust dependencies with cargo-audit + uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + working-directory: bottlecap + build-and-scan-images: runs-on: ubuntu-22.04 strategy: @@ -152,7 +164,7 @@ jobs: output-format: table retry: - needs: [trivy-scans, grype-scans, build-and-scan-images] + needs: [trivy-scans, grype-scans, rust-dependency-scan, build-and-scan-images] if: failure() && fromJSON(github.run_attempt) < 2 runs-on: ubuntu-22.04 permissions: @@ -165,7 +177,7 @@ jobs: run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} notify: - needs: [trivy-scans, grype-scans, build-and-scan-images] + needs: [trivy-scans, grype-scans, rust-dependency-scan, build-and-scan-images] if: failure() && fromJSON(github.run_attempt) >= 2 runs-on: ubuntu-22.04 steps: From 33896c741cd2090387cd812d1d97e76a86bf83d2 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:32:48 -0500 Subject: [PATCH 3/5] add `on pull_request:` for testing --- .github/workflows/vulnerability-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index b811cc357..10e754809 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -1,6 +1,7 @@ name: "Vulnerability Scan" on: + pull_request: schedule: # daily at midnight - cron: "0 0 * * *" From 84c49804d57a1d85222c21982b4f65596dba71f5 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:48:57 -0500 Subject: [PATCH 4/5] update so build and scan works --- .github/workflows/vulnerability-scan.yml | 17 ++++++++++++----- images/Dockerfile.build_layer | 3 ++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 10e754809..75f35078a 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -14,6 +14,7 @@ env: jobs: trivy-scans: + name: Trivy Scans (latest) runs-on: ubuntu-22.04 steps: - name: Scan latest released image with trivy @@ -33,6 +34,7 @@ jobs: format: table grype-scans: + name: Grype Scans (latest) runs-on: ubuntu-22.04 steps: - name: Scan latest release image with grype @@ -54,6 +56,7 @@ jobs: output-format: table rust-dependency-scan: + name: Rust Dependencies Scan runs-on: ubuntu-22.04 steps: - name: Checkout repository @@ -66,20 +69,24 @@ jobs: working-directory: bottlecap build-and-scan-images: + name: Build and Scan Images runs-on: ubuntu-22.04 strategy: matrix: include: - - arch: amd64 + - name: amd64 + arch: amd64 alpine: 0 suffix: amd64 - - arch: amd64 + - name: amd64-alpine + arch: amd64 alpine: 1 suffix: amd64-alpine - - arch: arm64 + - name: arm64 alpine: 0 suffix: arm64 - - arch: arm64 + - name: arm64-alpine + arch: arm64 alpine: 1 suffix: arm64-alpine fail-fast: false @@ -104,7 +111,7 @@ jobs: - name: Build layer (${{ matrix.suffix }}) run: | - ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh + COMPRESSER_IMAGE=ubuntu:22.04 ARCHITECTURE=${{ matrix.arch }} FILE_SUFFIX=${{ matrix.suffix }} ./.gitlab/scripts/build_layer.sh env: DOCKER_BUILDKIT: 1 diff --git a/images/Dockerfile.build_layer b/images/Dockerfile.build_layer index c931f7ddf..a850799bd 100644 --- a/images/Dockerfile.build_layer +++ b/images/Dockerfile.build_layer @@ -1,4 +1,5 @@ -FROM registry.ddbuild.io/images/mirror/ubuntu:22.04 AS compresser +ARG COMPRESSER_IMAGE=registry.ddbuild.io/images/mirror/ubuntu:22.04 +FROM $COMPRESSER_IMAGE AS compresser ARG DATADOG_WRAPPER=datadog_wrapper ARG FILE_SUFFIX From ff9186877935c0d6271ac2a341cd6af6cf7b2488 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Wed, 26 Nov 2025 14:52:06 -0500 Subject: [PATCH 5/5] fix typo --- .github/workflows/vulnerability-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 75f35078a..f5014311d 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -69,7 +69,7 @@ jobs: working-directory: bottlecap build-and-scan-images: - name: Build and Scan Images + name: Build and Scan Images (${{ matrix.name }}) runs-on: ubuntu-22.04 strategy: matrix: @@ -83,6 +83,7 @@ jobs: alpine: 1 suffix: amd64-alpine - name: arm64 + arch: arm64 alpine: 0 suffix: arm64 - name: arm64-alpine