rmoff opened a new pull request, #15430: URL: https://github.com/apache/iceberg/pull/15430
## Summary - Adds a Trivy vulnerability scan job to the Kafka Connect CI workflow - Builds the `distZip`, unpacks it, and scans the bundled jars for CRITICAL/HIGH CVEs - On push events (main, version branches, RC tags), uploads SARIF results to GitHub's Security tab - On PRs, outputs scan results to CI logs for developer visibility - Does not fail the build — reports only, matching the approach used by other Apache projects (e.g. [Superset](https://github.com/apache/superset/blob/9f8b212ccc75308d019338fab642489bda00af3d/.github/workflows/docker.yml#L104-L119)) ## Context Discussion on dev@ mailing list: https://lists.apache.org/thread/kbf98950pzstzgon92st7mh9vrbv5yhb Confluent Marketplace requires a Trivy scan before listing connectors. This has previously caught CVEs that needed patching (e.g. #14985). Running the scan in CI catches vulnerabilities during development and — critically — on RC tags before the release vote starts, when fixes can still be applied. This is independent of #15212 (adding the KC artifact to the release process) and can land in either order. ## Test plan - [ ] CI runs the new `vulnerability-scan` job successfully - [ ] Trivy scan output is visible in CI logs - [ ] SARIF upload works on push events (visible in Security tab) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
