VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1534363653
########## .github/workflows/docker_scan.yml: ########## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: + # This job will run at 3:30 UTC daily + - cron: '30 3 * * *' +jobs: + scan_jvm: + runs-on: ubuntu-latest + strategy: + matrix: + # This is an array of supported tags. Make sure this array only contains the supported tags + supported_image_tag: ['3.7.0'] + steps: + - name: Run CVE scan + uses: aquasecurity/trivy-action@master + if: always() + with: + image-ref: apache/kafka:${{ matrix.supported_image_tag }} + format: 'table' + severity: 'CRITICAL,HIGH' + output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt + exit-code: '1' + - name: Upload CVE scan report Review Comment: The CVE report is uploaded in github actions workflow only. Just like build test workflow one can download and check the report. In case pipeline fails, github actions sends out an email to github user who last edited the workflow. There doesn't seem to be any native setting to control email notification for individual workflows where we can specify the email addresses that should get notified. There are github actions that can send emails, but they are not github certified, so I don't think they will be allowed as there are restrictions on what github actions can run on Apache's repos. So probably it will be better to send email via some cli tool. Will need a bot email for that. I'll explore this and update here -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
