feat: add Trivy security scan workflow for vulnerability detection

.github/workflows/security-scan.yml

@@ -0,0 +1,156 @@
+name: Security Scan with Trivy CLI
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
+
+permissions:
+  contents: write      
+  security-events: write
+  pull-requests: write
+
+jobs:
+  scan-fs:
+    name: Scan Go Dependencies (FS)
+    runs-on: ubuntu-latest 
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.7"
+          cache-dependency-path: go.sum
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Install Trivy
+        run: |
+          # This script installs the latest version of Trivy.
+          # See https://aquasecurity.github.io/trivy/v0.53/getting-started/installation/
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
+      - name: 🛑 Scan filesystem for vulnerabilities (Blocker)
+        id: fs_scan_blocker
+        continue-on-error: true 
+        run: |
+          trivy fs \
+            --scanners vuln \
+            --dependency-tree \
+            --exit-code 1 \
+            --severity "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN" \
+            --ignore-unfixed \
+            --skip-dirs "examples" \
+            .
+
+      - name: Generate report for PR comment
+        if: steps.fs_scan_blocker.outcome == 'failure'
+        run: |
+          # Run the same scan, but with exit-code 0 so it doesn't fail.
+          # Redirect the table output to a file for the PR comment.
+          trivy fs \
+            --scanners vuln \
+            --dependency-tree \
+            --exit-code 0 \
+            --severity "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN" \
+            --ignore-unfixed \
+            --format table \
+            --skip-dirs "examples" \
+            . > trivy-fs-comment-report.txt
+
+      - name: Post vulnerability report on PR
+        if: steps.fs_scan_blocker.outcome == 'failure' && github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-file: trivy-fs-comment-report.txt
+          edit-mode: replace
+
+      - name: Fail job if vulnerabilities were found
+        if: steps.fs_scan_blocker.outcome == 'failure'
+        run: |
+          echo "Failing the job due to filesystem vulnerabilities."
+          exit 1
+
+  scan-image:
+    name: Scan Docker Images
+    runs-on: ubuntu-latest
+    needs: scan-fs
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [amd64, arm64]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU and Docker Buildx
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker build --build-arg TARGETARCH=${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} \
+            -t newrelic-lambda-extension:${{ github.sha }}-${{ matrix.arch }} .
+
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
+      - name: 🛑 Scan image for vulnerabilities (Blocker)
+        id: image_scan_blocker
+        continue-on-error: true 
+        run: |
+          trivy image \
+            --scanners vuln \
+            --dependency-tree \
+            --exit-code 1 \
+            --severity "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN" \
+            --ignore-unfixed \
+            --format table \
+            newrelic-lambda-extension:${{ github.sha }}-${{ matrix.arch }}
+
+      - name: Generate report for PR comment
+        if: steps.image_scan_blocker.outcome == 'failure'
+        run: |
+          # Run the same scan, but with exit-code 0 and redirect output to a file.
+          trivy image \
+            --scanners vuln \
+            --dependency-tree \
+            --exit-code 0 \
+            --severity "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN" \
+            --ignore-unfixed \
+            --format table \
+            newrelic-lambda-extension:${{ github.sha }}-${{ matrix.arch }} > trivy-image-comment-report.txt
+
+      - name: Post vulnerability report on PR
+        if: steps.image_scan_blocker.outcome == 'failure' && github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-file: 'trivy-image-comment-report.txt'
+          edit-mode: replace
+
+      - name: Fail job if vulnerabilities were found
+        if: steps.image_scan_blocker.outcome == 'failure'
+        run: |
+          echo "Failing the job due to image vulnerabilities in ${{ matrix.arch }} build."
+          exit 1

Dockerfile

@@ -0,0 +1,30 @@
+FROM golang:1.23-alpine AS builder
+
+ARG TARGETARCH
+
+RUN apk add --no-cache make git
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+
+RUN go mod download
+
+COPY . .
+
+RUN if [ "${TARGETARCH}" = "amd64" ]; then \
+      make build-for-scan-x86_64; \
+    elif [ "${TARGETARCH}" = "arm64" ]; then \
+      make build-for-scan-arm64; \
+    else \
+      echo "Unsupported architecture: ${TARGETARCH}" && exit 1; \
+    fi
+
+FROM alpine:3.20
+
+# It's good practice to add ca-certificates for any potential HTTPS communication.
+RUN apk add --no-cache ca-certificates
+
+WORKDIR /opt
+
+COPY --from=builder /app/extensions .

Makefile

@@ -7,6 +7,14 @@ clean:
 	rm -f /tmp/newrelic-lambda-extension.x86_64.zip
 	rm -f /tmp/newrelic-lambda-extension.arm64.zip
 
+# New target for building x86_64 without stripping for security scans
+build-for-scan-x86_64: clean
+	env GOARCH=amd64 GOOS=linux CGO_ENABLED=0 go build -o ./extensions/newrelic-lambda-extension
+
+# New target for building arm64 without stripping for security scans
+build-for-scan-arm64: clean
+	env GOARCH=arm64 GOOS=linux CGO_ENABLED=0 go build -o ./extensions/newrelic-lambda-extension
+
 dist-x86_64: clean
 	env GOARCH=amd64 GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w" -o ./extensions/newrelic-lambda-extension
 	touch preview-extensions-ggqizro707

go.mod

@@ -1,6 +1,7 @@
 module github.com/newrelic/newrelic-lambda-extension
 
-go 1.23.8
+go 1.23.7
+
 
 // Go experimental release X25519Kyber768Draft00 is causing issue with AWS Network Firewall
 godebug tlskyber=0