|
71 | 71 |
|
72 | 72 | kafka-connect-tests: |
73 | 73 | runs-on: ubuntu-24.04 |
| 74 | + permissions: |
| 75 | + contents: read |
| 76 | + security-events: write |
74 | 77 | strategy: |
75 | 78 | max-parallel: 15 |
76 | 79 | matrix: |
@@ -104,3 +107,67 @@ jobs: |
104 | 107 | name: test logs |
105 | 108 | path: | |
106 | 109 | **/build/testlogs |
| 110 | + # ------------------------------------------------------------------ |
| 111 | + # Trivy CVE scan |
| 112 | + # |
| 113 | + # Scans bundled jars for known vulnerabilities. |
| 114 | + # Only runs on JVM 21 — dependency CVEs are JVM-independent so |
| 115 | + # a single scan avoids redundant work. |
| 116 | + # |
| 117 | + # Behaviour: |
| 118 | + # - Flag, don't block: the scan step uses exit-code 1 so it |
| 119 | + # "fails" when CVEs are found, but continue-on-error keeps |
| 120 | + # the overall job green. GitHub Actions shows the step with |
| 121 | + # an orange warning icon. This is the only mechanism Actions |
| 122 | + # provides for "visible but non-blocking" — there is no way |
| 123 | + # to show a red step while keeping the job green. |
| 124 | + # - On push to main/release branches: results are uploaded as |
| 125 | + # SARIF to the GitHub Security tab for ongoing tracking. |
| 126 | + # - On PRs: SARIF upload is skipped because GitHub's Security |
| 127 | + # tab only accepts results from default/protected branches. |
| 128 | + # CVE findings are visible in the CI log output instead. |
| 129 | + # ------------------------------------------------------------------ |
| 130 | + - name: Build Kafka Connect distribution for scanning |
| 131 | + if: matrix.jvm == 21 |
| 132 | + run: | |
| 133 | + ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \ |
| 134 | + :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \ |
| 135 | + -Pquick=true -x test -x javadoc |
| 136 | + - name: Unpack distribution for scanning |
| 137 | + if: matrix.jvm == 21 |
| 138 | + run: | |
| 139 | + mkdir -p /tmp/kafka-connect-scan |
| 140 | + unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \ |
| 141 | + -d /tmp/kafka-connect-scan |
| 142 | + # Scan and output results as SARIF (for upload on push) while also |
| 143 | + # printing a human-readable summary to the CI log. exit-code 1 means |
| 144 | + # the step fails when CVEs are found; continue-on-error means the |
| 145 | + # job continues and the step shows as orange (not red) in the UI. |
| 146 | + - name: Run Trivy vulnerability scan |
| 147 | + if: matrix.jvm == 21 |
| 148 | + continue-on-error: true |
| 149 | + uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2 |
| 150 | + with: |
| 151 | + scan-type: 'rootfs' |
| 152 | + scan-ref: '/tmp/kafka-connect-scan' |
| 153 | + scanners: 'vuln' |
| 154 | + ignore-unfixed: true |
| 155 | + exit-code: '1' |
| 156 | + format: 'sarif' |
| 157 | + output: 'trivy-results.sarif' |
| 158 | + # Print human-readable results to the CI log so they're visible |
| 159 | + # without downloading the SARIF file. |
| 160 | + - name: Print Trivy scan results |
| 161 | + if: matrix.jvm == 21 |
| 162 | + run: | |
| 163 | + if [ -f trivy-results.sarif ]; then |
| 164 | + echo "## Trivy CVE Scan Results" |
| 165 | + jq -r '.runs[].results[] | "- \(.ruleId): \(.message.text)"' trivy-results.sarif 2>/dev/null || echo "No findings or unable to parse SARIF." |
| 166 | + else |
| 167 | + echo "No SARIF file found — scan may have failed to install." |
| 168 | + fi |
| 169 | + - name: Upload Trivy results to GitHub Security tab |
| 170 | + if: matrix.jvm == 21 && github.event_name == 'push' |
| 171 | + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 |
| 172 | + with: |
| 173 | + sarif_file: 'trivy-results.sarif' |
0 commit comments