Skip to content
This repository has been archived by the owner on Feb 21, 2022. It is now read-only.

DataDog/github-action-vulnerability-analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
LICENSE
LICENSE
 
 
LICENSE-3rdparty.csv
LICENSE-3rdparty.csv
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Vulnerability Analysis Github Action

The Datadog Github Action continuously monitors dependency and version information of code being deployed. By integrating this data with Datadog’s Continuous Profiler and Snyk’s Vulnerability database, this provides a real-time view of what code is actually accessible and vulnerable in production. By layering Profiler data on top of Snyk's Intel Vulnerability DB, Datadog is able to provide a list of reachable vulnerabilities—those that are invoked by external users in production.

vulnerability-severity

Table of Contents

Prerequisites

  • Set up Datadog Continuous Profiler. A Datadog account with the Profiler enabled is required to create Datadog application and API keys and to access the Profiler. If you don't already have a Datadog account, sign up for a Datadog Free Trial.
    • Note: When setting up Datadog Continuous Profiler, the service and version must follow the same conventions as in unified service tagging.
  • Set up Snyk. A Snyk account is required to create the Snyk token. Sign up for a free Snyk account, or use an already existing account of any tier.
    • Note: The Snyk integration only applies to Java applications, with support for more languages coming soon.

Setup

  1. Start by setting up or adding onto an existing Github Actions Workflow.
  2. Next, identify the Datadog Profiling Services in Datadog where you want to set up Vulnerability Security tracking. You'll need the service name that is in the Service column of your Datadog Profiling page. Service name
  3. Depending on your language and build system, find the matching Snyk CLI Docker Image in the following table:
Name Snyk CLI Docker Image
Gradle 5.4 snyk/snyk-cli:gradle-5.4
Gradle 5.4 with Java 11 snyk/snyk-cli:gradle-5.4_java11
Gradle 4.4 snyk/snyk-cli:gradle-4.4
Gradle 2.8 snyk/snyk-cli:gradle-2.8
Maven 3.6.3 snyk/snyk-cli:maven-3.6.3
Maven 3.6.3 with Java 11 snyk/snyk-cli:maven-3.6.3_java11
Maven 3.5.4 snyk/snyk-cli:maven-3.5.4
  1. Define the service and the version that should be monitored and connect Datadog and Snyk to your Github Actions workflow by editing your Github Actions workflow YAML file to include the parameters Snyk CLI Docker Image, build file, service, version, site, DATADOG_API_KEY, DATADOG_APP_KEY, and SNYK_TOKEN. For a full list of fields, see Inputs. Here is an example yaml:
jobs:
  vulnerability_analysis:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Setup Node
        uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - name: Compute dependency graph
        run: docker run -e "SNYK_TOKEN=$SNYK_TOKEN" -v "$PWD:/project" <Snyk CLI Docker Image> test --print-deps --file=<build file>
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name:  Display dependency graph computation errors
        run: |
          echo "-- Display snyk-error.log file"
          cat snyk-error.log
      - name: Upload dependency graph to Datadog
        uses: datadog/github-action-vulnerability-analysis@v0.3.2
        with:
          service: <service>
          version: <version>
          site: <site> # Optional
        env:
          DATADOG_API_KEY: <datadog-api-key>
          DATADOG_APP_KEY: <datadog-app-key>

'-v "$PWD:/project"' mount the repository path inside the docker container to perform the dependency graph computation. must be a relative and not an absolute path pointing to the build file.

  1. Repeat steps 2 - 3 for any other services that you want to set up Vulnerability Security monitoring (you only need to set up datadog-api-key, datadog-app-key, and snyk-token once).

Example

You have a service running Profiling with Datadog and you decide to add the vulnerability analysis. The service is running in the Datadog EU site (app.datadoghq.eu), is named app-name, the version is v2.1. The service is a Java program built with Gradle and the path to the build file is app/build.gradle. Store the Datadog API key, the Datadog app key, and the Snyk token as Github secrets under DATADOG_API_KEY, DATADOG_APP_KEY, and SNYK_TOKEN variables. Then the Github workflow is:

jobs:
  vulnerability_analysis:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Setup Node
        uses: actions/setup-node@v1
        with:
          node-version: 12.x
      - name: Compute dependency graph
        run: docker run -e "SNYK_TOKEN=$SNYK_TOKEN" -v "$PWD:/project" snyk/snyk-cli:gradle-5.4 test --print-deps --file=my-app/build.gradle.kts
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload dependency graph to Datadog
        uses: datadog/github-action-vulnerability-analysis@v0.3
        with:
          service: 'app-name'
          version: 'v2.1'
          site: 'datadoghq.eu'
        env:
          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
          DATADOG_APP_KEY: ${{ secrets.DATADOG_APP_KEY }}

Results

Once you have integrated Snyk and Datadog and run your Github Actions Workflow, you will begin to see the Snyk vulnerability analysis in the Vulnerability Severity column on the Datadog Profiler search page for any implemented services.

severity

Drilling into a profile will display a Vulnerability Intelligence section (if a vulnerability is detected) that provides a link to the Snyk vulnerability database, with details on the exposure and remediation steps.

vulnerability

The Search view can be used to gather insights on how often specific vulnerabilities are invoked over a period of time. You can get this view by using Vulnerabilities as a measure, and Vulnerability as an aggregation function. This helps to compare the relative frequency of invocations for different vulnerabilities. Now you can go ahead and remediate the higher risk vulnerabilities that are exposed to the public!

Inputs

Name Requirement Default Description
Snyk CLI Docker Image _required The path to the Snyk CLI Docker Image that computes the dependency graph. Example: snyk/snyk-cli:gradle-5.4
build file required The build file of the service. Example: app/build.gradle or app/build.gradle.kts
service required The service name. Example: app-name
version required The version of the application. Example: v2.1
DATADOG_API_KEY required The Datadog API key. A 32-character hexadecimal string. This key is created by your Datadog organization and should be stored as a secret.
DATADOG_APP_KEY required The Datadog APP key. A 40-character hexadecimal string. This key is created by your Datadog organization and should be stored as a secret.
SNYK_TOKEN required The Snyk token. Ex: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6. This key is created from your Snyk account and should be stored as a secret.
site optional datadoghq.com The Datadog site. Needs to be set to datadoghq.eu for Datadog EU users. Ex: datadoghq.com or datadoghq.eu

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

18 stars

Watchers

8 watching

Forks

5 forks
Report repository

Releases 5

Update action to handle new snyk-cli images Latest
Sep 30, 2021
+ 4 releases

Packages

 
 
 

Contributors 4

  •  
  •  
  •  
  •