gortiz opened a new pull request, #9044: URL: https://github.com/apache/pinot/pull/9044
This PR adds a new workflow that executes [Trivy](https://github.com/aquasecurity/trivy) in order to look for vulnerabilities. As I'm not a Pinot Committer, I'm not sure if this PR is going to work. Trivy is an open source program with a huge vulnerability db that analyzes artifacts looking for vulnerabilities. Although Trivy can be used in different ways, the most common way to use it is to analyze a docker image. By doing that it can analyze the code dependencies (for example, jars) but also SO dependencies (like the zlib version that is used). Trivy can also be used to analyze infrastructure as code and other configs, but I donĀ“t have experience doing so. When programs like this are added to a software, it is expected to find a lot of vulnerabilities. It doesn't make sense to block on going PRs due to vulnerabilities that are already present in master branch, so I have relaxed the workflow to do not fail. We should change that once we fix all the vulnerabilities -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
