Add daily security scans with reporting (#139)

thpierce · web-flow · commit d0ab51ae81cd · 2024-04-03T19:24:51.000-07:00
In this PR, we are adding a workflow that runs daily and does the following: 1. Scans dependencies with https://github.com/jeremylong/DependencyCheck, looking for any findings. 2. Scans latest released image with https://github.com/aquasecurity/trivy-action, looking for high findings. 2. Scans latest released image with https://github.com/aquasecurity/trivy-action, looking for low findings. 3. Reports scan results in both high and low (DependencyCheck is low, as it is an experimental scanner) to CloudWatch metrics. Testing: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/8546375213/job/23416606146?pr=139 Note that MONITORING_ROLE_ARN won't work from pull requests, but should work in daily runs, as a result, we cannot test metrics are produced until this is merged. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/.github/dependency-check-suppressions.xml b/.github/dependency-check-suppressions.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--False positive: opentelemetry-exporter-otlp-proto-grpc incorrectly maps to grpc-->
+    <suppress>
+        <notes><![CDATA[file name: opentelemetry-exporter-otlp-proto-grpc:1.22.0]]></notes>
+        <packageUrl regex="true">^pkg:pypi/opentelemetry\-exporter\-otlp\-proto\-grpc@.*$</packageUrl>
+        <cpe>cpe:/a:grpc:grpc</cpe>
+    </suppress>
+</suppressions>
diff --git a/.github/workflows/daily_scan.yml b/.github/workflows/daily_scan.yml
@@ -0,0 +1,120 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+# Performs a daily scan of:
+# * The latest released ADOT Python image, using Trivy
+# * Project dependencies, using DependencyCheck
+#
+#  Publishes results to CloudWatch Metrics.
+name: Daily scan
+
+on:
+  schedule:
+    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  workflow_dispatch: # be able to run the workflow on demand
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  scan_and_report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo for dependency scan
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python for dependency scan
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+
+      - name: Create requirements.txt for dependency scan
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install aws-opentelemetry-distro/
+          pip freeze > aws-opentelemetry-distro/requirements.txt
+          less aws-opentelemetry-distro/requirements.txt
+
+      - name: Install java for dependency scan
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
+
+      - name: Configure AWS credentials for dependency scan
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get NVD API key for dependency scan
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        id: nvd_api_key
+        with:
+          secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
+          parse-json-secrets: true
+
+      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
+      - name: Install and run dependency scan
+        id: dep_scan
+        if: always()
+        run: |
+          gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
+          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt)
+          curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+          curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
+          gpg --verify dependency-check.zip.asc
+          unzip dependency-check.zip
+          ./dependency-check/bin/dependency-check.sh --enableExperimental --suppression .github/dependency-check-suppressions.xml --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s aws-opentelemetry-distro/
+
+      - name: Print dependency scan results on failure
+        if: ${{ steps.dep_scan.outcome != 'success' }}
+        run: less dependency-check-report.html
+
+      - name: Perform high image scan
+        if: always()
+        id: high_scan
+        uses: ./.github/actions/image_scan
+        with:
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1"
+          severity: 'CRITICAL,HIGH'
+
+      - name: Perform low image scan
+        if: always()
+        id: low_scan
+        uses: ./.github/actions/image_scan
+        with:
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-python:v0.0.1"
+          severity: 'MEDIUM,LOW,UNKNOWN'
+
+      - name: Configure AWS Credentials for emitting metrics
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Publish high scan status
+        if: always()
+        run: |
+          value="${{ steps.high_scan.outcome == 'success' && '1.0' || '0.0' }}"
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
+            --value $value
+
+      # DependencyCheck for Python is experimental and prone to false positives. Until it is stable, use only for low monitoring.
+      - name: Publish low scan status
+        if: always()
+        run: |
+          value="${{ steps.low_scan.outcome == 'success' && steps.dep_scan.outcome == 'success' && 1.0 || 0.0}}"
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
+            --value $value
diff --git a/.github/workflows/released_image_scan.yml b/.github/workflows/released_image_scan.yml
