From e179301a2690b22cdee6ee1898624263dab16135 Mon Sep 17 00:00:00 2001
From: Eric Zhang <zhaez@amazon.com>
Date: Mon, 12 Jan 2026 10:42:00 -0800
Subject: [PATCH 1/4] add daily scan

---
 .github/workflows/daily-scan.yml | 101 +++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 .github/workflows/daily-scan.yml

diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
new file mode 100644
index 00000000..6a60a0cb
--- /dev/null
+++ b/.github/workflows/daily-scan.yml
@@ -0,0 +1,101 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+# Performs a daily scan of:
+# * The X-Ray Java SDK source code, using Trivy
+# * Project dependencies, using DependencyCheck
+#
+#  Publishes results to CloudWatch Metrics.
+name: Daily scan
+
+on:
+  schedule:
+    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  workflow_dispatch: # be able to run the workflow on demand
+  push:
+    branches:
+      - zhaez/scanner
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  scan_and_report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo for dependency scan
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Setup Java for dependency scan
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
+        with:
+          java-version: 17
+          distribution: 'temurin'
+
+      - name: Configure AWS credentials for dependency scan
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
+        with:
+          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get NVD API key for dependency scan
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
+        id: nvd_api_key
+        with:
+          secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
+          parse-json-secrets: true
+
+      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
+      - name: Install and run dependency scan
+        id: dep_scan
+        if: always()
+        run: |
+          # Install dependency-check
+          gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
+          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
+          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+          curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
+          gpg --verify dependency-check.zip.asc
+          unzip dependency-check.zip
+          
+          # Run dependency check on entire workspace
+          ./dependency-check/bin/dependency-check.sh \
+            --failOnCVSS 0 \
+            --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} \
+            --disableOssIndex \
+            --enableExperimental \
+            -s "." \
+            --format HTML \
+            --format JSON
+
+      - name: Print dependency scan results on failure
+        if: always()
+        run: |
+          if [ "${{ steps.dep_scan.outcome }}" != "success" ]; then
+            less dependency-check-report.html
+          fi
+
+      - name: Configure AWS Credentials for emitting metrics
+        if: always()
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
+        with:
+          role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
+          aws-region:  ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Publish dependency scan status
+        if: always()
+        run: |
+          value="${{ steps.dep_scan.outcome == 'success' && '0' || '1' }}"
+          aws cloudwatch put-metric-data --metric-name XRayJavaSDKSecurityScanFailures --dimensions failure=rate --namespace MonitorSDK --value $value --timestamp $(date +%s)
+
+      - name: Cleanup
+        if: always()
+        run: |
+          rm -f ./dependency-check.zip
+          rm -f ./dependency-check.zip.asc
+          rm -rf ./dependency-check || true
\ No newline at end of file

From c19dbd054e002e8f61e4c1b944c7b3796565098e Mon Sep 17 00:00:00 2001
From: Eric Zhang <zhaez@amazon.com>
Date: Mon, 12 Jan 2026 12:27:43 -0800
Subject: [PATCH 2/4] remove test trigger

---
 .github/workflows/daily-scan.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
index 6a60a0cb..2c3c429d 100644
--- a/.github/workflows/daily-scan.yml
+++ b/.github/workflows/daily-scan.yml
@@ -11,9 +11,6 @@ on:
   schedule:
     - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
   workflow_dispatch: # be able to run the workflow on demand
-  push:
-    branches:
-      - zhaez/scanner
 
 env:
   AWS_DEFAULT_REGION: us-east-1

From 7517d6c602a7450249844107a79f48123cecc114 Mon Sep 17 00:00:00 2001
From: Eric Zhang <zhaez@amazon.com>
Date: Wed, 18 Feb 2026 12:31:13 -0800
Subject: [PATCH 3/4] update metric publishing

---
 .github/workflows/daily-scan.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
index 2c3c429d..fb942174 100644
--- a/.github/workflows/daily-scan.yml
+++ b/.github/workflows/daily-scan.yml
@@ -87,8 +87,11 @@ jobs:
       - name: Publish dependency scan status
         if: always()
         run: |
-          value="${{ steps.dep_scan.outcome == 'success' && '0' || '1' }}"
-          aws cloudwatch put-metric-data --metric-name XRayJavaSDKSecurityScanFailures --dimensions failure=rate --namespace MonitorSDK --value $value --timestamp $(date +%s)
+          value="${{ steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
+          aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
+            --value $value
 
       - name: Cleanup
         if: always()

From 350efb2fa15f55ff2e47bbfab42dd76e97faa113 Mon Sep 17 00:00:00 2001
From: Eric Zhang <zhaez@amazon.com>
Date: Wed, 18 Feb 2026 12:46:50 -0800
Subject: [PATCH 4/4] align format with adot daily scans

---
 .github/workflows/daily-scan.yml | 29 ++++-------------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml
index fb942174..bc7d9da1 100644
--- a/.github/workflows/daily-scan.yml
+++ b/.github/workflows/daily-scan.yml
@@ -1,7 +1,6 @@
 ## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 ## SPDX-License-Identifier: Apache-2.0
 # Performs a daily scan of:
-# * The X-Ray Java SDK source code, using Trivy
 # * Project dependencies, using DependencyCheck
 #
 #  Publishes results to CloudWatch Metrics.
@@ -52,37 +51,24 @@ jobs:
         id: dep_scan
         if: always()
         run: |
-          # Install dependency-check
           gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
           VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
           curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
           curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
           gpg --verify dependency-check.zip.asc
           unzip dependency-check.zip
-          
-          # Run dependency check on entire workspace
-          ./dependency-check/bin/dependency-check.sh \
-            --failOnCVSS 0 \
-            --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} \
-            --disableOssIndex \
-            --enableExperimental \
-            -s "." \
-            --format HTML \
-            --format JSON
+          ./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "."
 
       - name: Print dependency scan results on failure
-        if: always()
-        run: |
-          if [ "${{ steps.dep_scan.outcome }}" != "success" ]; then
-            less dependency-check-report.html
-          fi
+        if: ${{ steps.dep_scan.outcome != 'success' }}
+        run: less dependency-check-report.html
 
       - name: Configure AWS Credentials for emitting metrics
         if: always()
         uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
-          aws-region:  ${{ env.AWS_DEFAULT_REGION }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
       - name: Publish dependency scan status
         if: always()
@@ -92,10 +78,3 @@ jobs:
             --metric-name Success \
             --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
             --value $value
-
-      - name: Cleanup
-        if: always()
-        run: |
-          rm -f ./dependency-check.zip
-          rm -f ./dependency-check.zip.asc
-          rm -rf ./dependency-check || true
\ No newline at end of file