Skip to content

Commit efb2e2c

Browse files
subkanthixieandrew
andauthored
ci: Add github workflow for vulnerability scanning (#173)
Co-authored-by: Andrew Xie <dev@xie.is>
1 parent 177f02a commit efb2e2c

6 files changed

Lines changed: 469 additions & 220 deletions

File tree

.github/workflows/security.yaml

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
name: Security Scan
2+
3+
on:
4+
pull_request:
5+
branches: ["**"]
6+
push:
7+
branches: [main, develop]
8+
schedule:
9+
- cron: "0 8 * * 1" # weekly Monday 08:00 UTC
10+
11+
permissions:
12+
contents: read
13+
security-events: write
14+
15+
jobs:
16+
codeql:
17+
name: CodeQL (Java SAST)
18+
runs-on: ubuntu-latest
19+
steps:
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
22+
- name: Set up JDK 21
23+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
24+
with:
25+
distribution: temurin
26+
java-version: "21"
27+
28+
- name: Initialize CodeQL
29+
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
30+
with:
31+
languages: java
32+
queries: +security-extended
33+
34+
- name: Build with Maven
35+
run: ./mvnw -B compile -DskipTests -pl ice,ice-rest-catalog
36+
37+
- name: Perform CodeQL Analysis
38+
uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
39+
with:
40+
category: "/language:java"
41+
42+
trivy:
43+
name: Trivy Filesystem Scan
44+
runs-on: ubuntu-latest
45+
steps:
46+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
47+
48+
- name: Run Trivy (table output for logs)
49+
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
50+
with:
51+
scan-type: fs
52+
scan-ref: .
53+
scanners: vuln
54+
severity: CRITICAL,HIGH
55+
exit-code: "1"
56+
format: table
57+
trivy-config: trivy.yaml
58+
59+
- name: Run Trivy (SARIF for GitHub Security tab)
60+
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
61+
if: always()
62+
with:
63+
scan-type: fs
64+
scan-ref: .
65+
scanners: vuln
66+
severity: CRITICAL,HIGH
67+
exit-code: "0"
68+
format: sarif
69+
output: trivy-results.sarif
70+
trivy-config: trivy.yaml
71+
72+
- name: Upload Trivy SARIF to GitHub Security
73+
uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
74+
if: always()
75+
with:
76+
sarif_file: trivy-results.sarif
77+
78+
grype:
79+
name: Grype Dependency Scan
80+
runs-on: ubuntu-latest
81+
steps:
82+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
83+
84+
- name: Run Grype (table output for logs)
85+
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
86+
with:
87+
path: .
88+
fail-build: "true"
89+
severity-cutoff: high
90+
output-format: table
91+
92+
- name: Run Grype (SARIF for GitHub Security tab)
93+
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
94+
if: always()
95+
id: grype-sarif
96+
with:
97+
path: .
98+
fail-build: "false"
99+
severity-cutoff: high
100+
output-format: sarif
101+
102+
- name: Upload Grype SARIF to GitHub Security
103+
uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
104+
if: always()
105+
with:
106+
sarif_file: ${{ steps.grype-sarif.outputs.sarif }}
107+
category: grype

ice-rest-catalog/pom.xml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
<properties>
1616
<sqlite.version>3.46.1.0</sqlite.version>
1717
<jetcd.version>0.8.5</jetcd.version>
18-
<grpc.version>1.70.0</grpc.version>
18+
<grpc.version>1.76.0</grpc.version>
1919
<testcontainers.version>1.21.4</testcontainers.version>
2020
</properties>
2121

@@ -154,7 +154,7 @@
154154
<!-- transitive -->
155155
<groupId>commons-codec</groupId>
156156
<artifactId>commons-codec</artifactId>
157-
<version>1.17.1</version>
157+
<version>${commons.codec.version}</version>
158158
</dependency>
159159
<!-- s3tables -->
160160
<dependency>
@@ -230,7 +230,7 @@
230230
<dependency>
231231
<groupId>com.google.cloud</groupId>
232232
<artifactId>google-cloud-storage</artifactId>
233-
<version>2.43.1</version>
233+
<version>${google.cloud.storage.version}</version>
234234
<exclusions>
235235
<exclusion>
236236
<groupId>com.google.guava</groupId>
@@ -399,6 +399,18 @@
399399
<artifactId>jetcd-core</artifactId>
400400
<version>${jetcd.version}</version>
401401
<exclusions>
402+
<exclusion>
403+
<groupId>io.grpc</groupId>
404+
<artifactId>grpc-core</artifactId>
405+
</exclusion>
406+
<exclusion>
407+
<groupId>io.grpc</groupId>
408+
<artifactId>grpc-util</artifactId>
409+
</exclusion>
410+
<exclusion>
411+
<groupId>io.grpc</groupId>
412+
<artifactId>grpc-grpclb</artifactId>
413+
</exclusion>
402414
<exclusion>
403415
<groupId>com.google.guava</groupId>
404416
<artifactId>guava</artifactId>
@@ -477,7 +489,7 @@
477489
<dependency>
478490
<groupId>com.google.guava</groupId>
479491
<artifactId>guava</artifactId>
480-
<version>33.4.0-jre</version>
492+
<version>33.5.0-jre</version>
481493
<exclusions>
482494
<exclusion>
483495
<groupId>org.checkerframework</groupId>

ice-rest-catalog/src/test/pyiceberg/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ requires-python = ">=3.12"
77
dependencies = [
88
"httpx>=0.28.1",
99
"pyarrow>=19.0.1",
10-
"pyiceberg[pyarrow]>=0.9.0",
10+
"pyiceberg[pyarrow]>=0.11.1",
1111
]
1212

1313
[dependency-groups]

0 commit comments

Comments
 (0)