Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Run Datadog SCA in CI #2636

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

ci: Run Datadog SCA in CI #2636

wants to merge 1 commit into from

Conversation

harmonherring-pro
Copy link

What does this PR do?

Adds a new Gitlab CI job that dogfoods the Datadog SCA product

Motivation

@DataDog/software-integrity-and-trust partners with @DataDog/static-analysis to dogfood their SCA product and secure Datadog's supply chain.

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

@pr-commenter
Copy link

pr-commenter bot commented Mar 28, 2024

Benchmarks

Benchmark execution time: 2024-03-28 21:04:16

Comparing candidate commit f92faae in PR branch harmon.herring/sint-1892-deploy-sca with baseline commit aaf8af5 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 44 metrics, 0 unstable metrics.

@Julio-Guerra
Copy link
Contributor

Julio-Guerra commented Mar 28, 2024
edited

Cool to see this initiative poping here ;-)

Is the docker image publicly accessible? If so, I suggest we do a github workflow instead, as this is our main CI tool.
(You could even provide a simple reusable github workflow or action to hide all these details).

@juli1
Copy link

juli1 commented Mar 29, 2024

Cool to see this initiative poping here ;-)

Is the docker image publicly accessible? If so, I suggest we do a github workflow instead, as this is our main CI tool. (You could even provide a simple reusable github workflow or action to hide all these details).

It's not. If you want to use a GitHub action, you can use the SCA GitHub action.

@Julio-Guerra
Copy link
Contributor

Cool to see this initiative poping here ;-)
Is the docker image publicly accessible? If so, I suggest we do a github workflow instead, as this is our main CI tool. (You could even provide a simple reusable github workflow or action to hide all these details).

It's not. If you want to use a GitHub action, you can use the SCA GitHub action.

So why not integrate this here? We are an open-source library, so the more open we are, the better ;-)
So far GitLab is used only for the benchmark platform which relies on gitlab runners maintained by the related backend team, everything else we have and rely on ourselves runs on GitHub Workflow.

Still open to starting your early integration this way.

@darccio
Copy link
Contributor

darccio commented Apr 3, 2024

I was planning to apply this at some point. Thanks for taking the lead, @harmonherring-pro! As @Julio-Guerra stated, I think too that we should go with the SCA GitHub Action.

If you don't mind, I can take care of this and convert the GitLab YAML to its GitHub equivalent in this same PR. WDYT?

@harmonherring-pro
Copy link
Author

harmonherring-pro commented Apr 3, 2024
edited

I was planning to apply this at some point. Thanks for taking the lead, @harmonherring-pro! As @Julio-Guerra stated, I think too that we should go with the SCA GitHub Action.

If you don't mind, I can take care of this and convert the GitLab YAML to its GitHub equivalent in this same PR. WDYT?

Thanks for pinging me! I was wrapped up in some other work for a few days and didn't realize the activity this PR had 😅 that sounds good to me, let me know if you need anything from me!

@Julio-Guerra Julio-Guerra changed the title ci( Run Datadog SCA in CI ci: Run Datadog SCA in CI Apr 4, 2024
@Julio-Guerra Julio-Guerra added the ci label Apr 4, 2024
juliendoutre
juliendoutre approved these changes Apr 4, 2024
View reviewed changes
Copy link

@juliendoutre juliendoutre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Approving just in case, but feel free to go with the github actions integration if you want to.

.gitlab/software_composition_analysis.yaml
- export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name "ci.dd-trace-go.datadog_app_key_org2" --with-decryption --query "Parameter.Value" --out text)
- set -o xtrace
- osv-scanner --skip-git --recursive --experimental-only-packages --format=cyclonedx-1-4 --output=/tmp/sbom.json .
- datadog-ci sbom upload --service integrations-core --env ci /tmp/sbom.json
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you set the service to dd-trace-go please?

@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the stale Stuck for more than 1 month label Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliendoutre juliendoutre juliendoutre approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ci stale Stuck for more than 1 month
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@harmonherring-pro @Julio-Guerra @juli1 @darccio @juliendoutre