From ec9d1df6f35a95641eb2fe61680c8d3c7a940eab Mon Sep 17 00:00:00 2001 From: Eric Zhang Date: Mon, 12 Jan 2026 12:04:28 -0800 Subject: [PATCH 1/2] add daily scan --- .github/workflows/daily-scan.yml | 143 +++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 .github/workflows/daily-scan.yml diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml new file mode 100644 index 00000000..2ed0ebac --- /dev/null +++ b/.github/workflows/daily-scan.yml @@ -0,0 +1,143 @@ +## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +## SPDX-License-Identifier: Apache-2.0 +# Performs a daily scan of: +# * The X-Ray Python SDK source code, using Trivy +# * Project dependencies, using DependencyCheck +# +# Publishes results to CloudWatch Metrics. +name: Daily scan + +on: + schedule: + - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day + workflow_dispatch: # be able to run the workflow on demand + push: + branches: + - zhaez/scanner + +env: + AWS_DEFAULT_REGION: us-east-1 + +permissions: + id-token: write + contents: read + +jobs: + scan_and_report: + runs-on: ubuntu-latest + steps: + - name: Checkout repo for dependency scan + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + with: + fetch-depth: 0 + + - name: Setup Python for dependency scan + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0 + with: + python-version: '3.x' + + - name: Build Python project for scanning + run: | + python -m venv scan-venv + source scan-venv/bin/activate + # Install the published SDK package to get all runtime dependencies + pip install aws-xray-sdk + # Generate requirements file for scanning + pip freeze > requirements.txt + + - name: Install Java for dependency scan + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0 + with: + java-version: 17 + distribution: 'temurin' + + - name: Configure AWS credentials for dependency scan + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0 + with: + role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Get NVD API key for dependency scan + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10 + id: nvd_api_key + with: + secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }} + parse-json-secrets: true + + # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation + - name: Install and run dependency scan + id: dep_scan + if: always() + run: | + # Install dependency-check + gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED + VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1) + curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip + curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc + gpg --verify dependency-check.zip.asc + unzip dependency-check.zip + + # Run dependency check on entire workspace + ./dependency-check/bin/dependency-check.sh \ + --failOnCVSS 0 \ + --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} \ + --disableOssIndex \ + --enableExperimental \ + -s "." \ + --format HTML \ + --format JSON + + - name: Print dependency scan results on failure + if: always() + run: | + if [ "${{ steps.dep_scan.outcome }}" != "success" ]; then + less dependency-check-report.html + fi + + - name: Perform high severity scan on built artifacts + if: always() + id: high_scan_latest + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH' + exit-code: '1' + scanners: 'vuln' + + - name: Perform low severity scan on built artifacts + if: always() + id: low_scan_latest + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'MEDIUM,LOW,UNKNOWN' + exit-code: '1' + scanners: 'vuln' + + - name: Configure AWS Credentials for emitting metrics + if: always() + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0 + with: + role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Publish high scan status + if: always() + run: | + value="${{ steps.high_scan_latest.outcome == 'success' && '0' || '1' }}" + aws cloudwatch put-metric-data --metric-name XRayPythonSDKSecurityScanHighSeverityFailures --dimensions failure=rate --namespace MonitorSDK --value $value --timestamp $(date +%s) + + - name: Publish low scan status + if: always() + run: | + value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '0' || '1' }}" + aws cloudwatch put-metric-data --metric-name XRayPythonSDKSecurityScanLowSeverityFailures --dimensions failure=rate --namespace MonitorSDK --value $value --timestamp $(date +%s) + + - name: Cleanup + if: always() + run: | + rm -f ./dependency-check.zip + rm -f ./dependency-check.zip.asc + rm -rf ./dependency-check || true \ No newline at end of file From 5c3fe621fc739994eb506395b214f274d67d2821 Mon Sep 17 00:00:00 2001 From: Eric Zhang Date: Mon, 12 Jan 2026 12:28:50 -0800 Subject: [PATCH 2/2] remove test trigger --- .github/workflows/daily-scan.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml index 2ed0ebac..0c99574f 100644 --- a/.github/workflows/daily-scan.yml +++ b/.github/workflows/daily-scan.yml @@ -11,9 +11,6 @@ on: schedule: - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day workflow_dispatch: # be able to run the workflow on demand - push: - branches: - - zhaez/scanner env: AWS_DEFAULT_REGION: us-east-1