New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Run Datadog SCA in CI #2636
base: main
Are you sure you want to change the base?
Conversation
BenchmarksBenchmark execution time: 2024-03-28 21:04:16 Comparing candidate commit f92faae in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 44 metrics, 0 unstable metrics. |
Cool to see this initiative poping here ;-) Is the docker image publicly accessible? If so, I suggest we do a github workflow instead, as this is our main CI tool. |
It's not. If you want to use a GitHub action, you can use the SCA GitHub action. |
So why not integrate this here? We are an open-source library, so the more open we are, the better ;-) Still open to starting your early integration this way. |
I was planning to apply this at some point. Thanks for taking the lead, @harmonherring-pro! As @Julio-Guerra stated, I think too that we should go with the SCA GitHub Action. If you don't mind, I can take care of this and convert the GitLab YAML to its GitHub equivalent in this same PR. WDYT? |
Thanks for pinging me! I was wrapped up in some other work for a few days and didn't realize the activity this PR had 😅 that sounds good to me, let me know if you need anything from me! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! Approving just in case, but feel free to go with the github actions integration if you want to.
- export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name "ci.dd-trace-go.datadog_app_key_org2" --with-decryption --query "Parameter.Value" --out text) | ||
- set -o xtrace | ||
- osv-scanner --skip-git --recursive --experimental-only-packages --format=cyclonedx-1-4 --output=/tmp/sbom.json . | ||
- datadog-ci sbom upload --service integrations-core --env ci /tmp/sbom.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you set the service to dd-trace-go
please?
This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
What does this PR do?
Adds a new Gitlab CI job that dogfoods the Datadog SCA product
Motivation
@DataDog/software-integrity-and-trust partners with @DataDog/static-analysis to dogfood their SCA product and secure Datadog's supply chain.
Reviewer's Checklist