Scan latest releases for vulnerabilities. (#343)

purple4reina · web-flow · commit 180f2a503ed4 · 2024-08-02T02:55:32.000-07:00
diff --git a/.github/workflows/serverless-vuln-scan.yml b/.github/workflows/serverless-vuln-scan.yml
@@ -48,6 +48,22 @@ jobs:
           exit-code: 1
           format: table
 
+      - name: Scan latest released image with trivy
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        with:
+          image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
+      - name: Scan latest-alpoine released image with trivy
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        with:
+          image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
+          ignore-unfixed: true
+          exit-code: 1
+          format: table
+
       - name: Scan amd64 image with grype
         uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
         with:
@@ -66,6 +82,24 @@ jobs:
           severity-cutoff: low
           output-format: table
 
+      - name: Scan latest release image with grype
+        uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
+        with:
+          image: "public.ecr.aws/datadog/lambda-extension:latest"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
+      - name: Scan latest-alpine release image with grype
+        uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
+        with:
+          image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
+          only-fixed: true
+          fail-build: true
+          severity-cutoff: low
+          output-format: table
+
       - name: Scan binary files with grype
         uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
         with:
