diff --git a/.github/dependency-check-suppressions.xml b/.github/dependency-check-suppressions.xml new file mode 100644 index 000000000..de4b2af16 --- /dev/null +++ b/.github/dependency-check-suppressions.xml @@ -0,0 +1,9 @@ + + + + + + ^pkg:pypi/opentelemetry\-exporter\-otlp\-proto\-grpc@.*$ + cpe:/a:grpc:grpc + + \ No newline at end of file diff --git a/.github/workflows/daily_scan.yml b/.github/workflows/daily_scan.yml new file mode 100644 index 000000000..7c3093f9a --- /dev/null +++ b/.github/workflows/daily_scan.yml @@ -0,0 +1,120 @@ +## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +## SPDX-License-Identifier: Apache-2.0 +# Performs a daily scan of: +# * The latest released ADOT Python image, using Trivy +# * Project dependencies, using DependencyCheck +# +# Publishes results to CloudWatch Metrics. +name: Daily scan + +on: + schedule: + - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day + workflow_dispatch: # be able to run the workflow on demand + +env: + AWS_DEFAULT_REGION: us-east-1 + +permissions: + id-token: write + contents: read + +jobs: + scan_and_report: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for dependency scan + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Python for dependency scan + uses: actions/setup-python@v4 + with: + python-version: "3.10" + + - name: Create requirements.txt for dependency scan + run: | + python -m venv env + source env/bin/activate + pip install aws-opentelemetry-distro/ + pip freeze > aws-opentelemetry-distro/requirements.txt + less aws-opentelemetry-distro/requirements.txt + + - name: Install java for dependency scan + uses: actions/setup-java@v4 + with: + java-version: 17 + distribution: 'temurin' + + - name: Configure AWS credentials for dependency scan + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Get NVD API key for dependency scan + uses: aws-actions/aws-secretsmanager-get-secrets@v1 + id: nvd_api_key + with: + secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }} + parse-json-secrets: true + + # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation + - name: Install and run dependency scan + id: dep_scan + if: always() + run: | + gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED + VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt) + curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip + curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc + gpg --verify dependency-check.zip.asc + unzip dependency-check.zip + ./dependency-check/bin/dependency-check.sh --enableExperimental --suppression .github/dependency-check-suppressions.xml --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s aws-opentelemetry-distro/ + + - name: Print dependency scan results on failure + if: ${{ steps.dep_scan.outcome != 'success' }} + run: less dependency-check-report.html + + - name: Perform high image scan + if: always() + id: high_scan + uses: ./.github/actions/image_scan + with: + image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1" + severity: 'CRITICAL,HIGH' + + - name: Perform low image scan + if: always() + id: low_scan + uses: ./.github/actions/image_scan + with: + image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1" + severity: 'MEDIUM,LOW,UNKNOWN' + + - name: Configure AWS Credentials for emitting metrics + if: always() + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Publish high scan status + if: always() + run: | + value="${{ steps.high_scan.outcome == 'success' && '1.0' || '0.0' }}" + aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ + --metric-name Success \ + --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \ + --value $value + + # DependencyCheck for Python is experimental and prone to false positives. Until it is stable, use only for low monitoring. + - name: Publish low scan status + if: always() + run: | + value="${{ steps.low_scan.outcome == 'success' && steps.dep_scan.outcome == 'success' && 1.0 || 0.0}}" + aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ + --metric-name Success \ + --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \ + --value $value diff --git a/.github/workflows/released_image_scan.yml b/.github/workflows/released_image_scan.yml deleted file mode 100644 index 929173c6f..000000000 --- a/.github/workflows/released_image_scan.yml +++ /dev/null @@ -1,71 +0,0 @@ -## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -## SPDX-License-Identifier: Apache-2.0 -# Performs a daily scan of the latest released ADOT Python image. Publishes results to CloudWatch Metrics. -name: Released image scan - -on: - schedule: - - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day - workflow_dispatch: # be able to run the workflow on demand - -permissions: - id-token: write - contents: read - -jobs: - scan_and_report: - runs-on: ubuntu-latest - steps: - - name: Perform high scan - id: high_scan - uses: ./.github/actions/image_scan - with: - image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1" - severity: 'CRITICAL,HIGH' - - - name: Perform low scan - if: always() - id: low_scan - uses: ./.github/actions/image_scan - with: - image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1" - severity: 'MEDIUM,LOW,UNKNOWN' - - - name: Configure AWS Credentials - if: always() - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.E2E_SECRET_TEST_ROLE_ARN }} - aws-region: us-east-1 - - - name: Publish high scan status success - if: steps.high_scan.outcome == "success' - run: | - aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ - --metric-name Success \ - --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_high \ - --value 1.0 - - - name: Publish high scan status failure - if: steps.high_scan.outcome != 'success' - run: | - aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ - --metric-name Success \ - --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_high \ - --value 0.0 - - - name: Publish low scan status success - if: steps.low_scan.outcome == "success' - run: | - aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ - --metric-name Success \ - --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_low \ - --value 1.0 - - - name: Publish low scan status failure - if: steps.low_scan.outcome != 'success' - run: | - aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \ - --metric-name Success \ - --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=released_image_scan_low \ - --value 0.0