[
https://issues.apache.org/jira/browse/KAFKA-19881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037934#comment-18037934
]
PoAn Yang commented on KAFKA-19881:
-----------------------------------
The exit-code is 1
([https://github.com/apache/kafka/blob/f685d57f2cb1bcbedcf37d0e2e1cd577fb6ef594/.github/workflows/docker_scan.yml#L39]).
From [trivy-action document|https://github.com/aquasecurity/trivy-action], it
returns this value when finding vulnerabilities. Currently, it scans released
images. However, the released images cannot be changed. IMO, we can build
temporary image and only scan this image on branch head like trunk, 4.1, 4.0,
and 3.9.
> Docker Image CVE Scanner workflow consistently failing
> ------------------------------------------------------
>
> Key: KAFKA-19881
> URL: https://issues.apache.org/jira/browse/KAFKA-19881
> Project: Kafka
> Issue Type: Task
> Components: build, docker
> Reporter: Mickael Maison
> Priority: Major
>
> That workflow
> (https://github.com/apache/kafka/actions/workflows/docker_scan.yml) has been
> failing since February.
> Is this workflow useful? If so should it gate releases?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
