rymurr commented on code in PR #15430:
URL: https://github.com/apache/iceberg/pull/15430#discussion_r2964602052
##########
.github/workflows/kafka-connect-ci.yml:
##########
@@ -107,3 +107,52 @@ jobs:
name: test logs
path: |
**/build/testlogs
+ # ------------------------------------------------------------------
+ # Trivy CVE scan (JVM 21 only — dependency CVEs are JVM-independent)
+ #
+ # Scans bundled jars for CRITICAL/HIGH vulnerabilities.
+ # The scan step shows as red when CVEs are found, but does not block
+ # the overall CI job (continue-on-error: true).
+ # On push: results are uploaded as SARIF to GitHub's Security tab.
+ # On PRs: results are printed to the CI log for visibility.
+ # ------------------------------------------------------------------
+ - name: Build Kafka Connect distribution for scanning
+ if: matrix.jvm == 21
+ run: |
+ ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \
+ :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \
+ -Pquick=true -x test -x javadoc
+ - name: Unpack distribution for scanning
+ if: matrix.jvm == 21
+ run: |
+ mkdir -p /tmp/kafka-connect-scan
+ unzip
kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip
\
+ -d /tmp/kafka-connect-scan
+ - name: Run Trivy vulnerability scan
+ if: matrix.jvm == 21
+ continue-on-error: true
+ uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518
# v0.34.1
+ with:
+ scan-type: 'fs'
+ scan-ref: '/tmp/kafka-connect-scan'
+ scanners: 'vuln'
+ severity: 'CRITICAL,HIGH'
+ ignore-unfixed: true
+ exit-code: '1'
+ - name: Run Trivy vulnerability scan (SARIF)
+ if: matrix.jvm == 21 && github.event_name == 'push'
+ uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518
# v0.34.1
+ with:
+ scan-type: 'fs'
+ scan-ref: '/tmp/kafka-connect-scan'
+ scanners: 'vuln'
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+ severity: 'CRITICAL,HIGH'
+ ignore-unfixed: true
+ exit-code: '0'
Review Comment:
why is this exit code 0 and the othr is 1? What does this mean anyways...it
always exits with 0/1 regardless of state?
Seems this is missing continue on error too? Or is the SARIF scan just
different?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
