Skip to content

CI: Make CVE scan blocking on PRs, informational on main #16287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kevinjqliu wants to merge 8 commits into
base: main
Choose a base branch
from
+44 −7
Open

CI: Make CVE scan blocking on PRs, informational on main #16287

Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c06f6b8
dont block ci
kevinjqliu May 11, 2026
9a0cec9
only run on main
kevinjqliu May 11, 2026
b77d650
block on pr
kevinjqliu May 11, 2026
99162bd
comment
kevinjqliu May 11, 2026
99e2d34
Merge remote-tracking branch 'origin/main' into kevinjqliu/kafka-triv…
kevinjqliu May 12, 2026
72a4ea1
fix rebase
kevinjqliu May 12, 2026
44c8e40
trivy ignore spark 3.4 for now
kevinjqliu May 12, 2026
192dcd1
asf header
kevinjqliu May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 9 additions & 50 deletions .github/workflows/kafka-connect-cve-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,78 +27,37 @@ on:
- '2.*'
tags:
- 'apache-iceberg-**'
pull_request:
Copy link
Copy Markdown
Contributor

@huaxingao huaxingao May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to fail on PR and be informational on main. I actually found my way to this PR because the post-merge scan on #16279 failed, and I'd rather have seen those CVEs at review time than after they landed on main.

paths-ignore:
- '.github/ISSUE_TEMPLATE/**'
- '.github/workflows/api-binary-compatibility.yml'
- '.github/workflows/delta-conversion-ci.yml'
- '.github/workflows/docs-ci.yml'
- '.github/workflows/flink-ci.yml'
- '.github/workflows/hive-ci.yml'
- '.github/workflows/java-ci.yml'
- '.github/workflows/jmh-benchmarks-ci.yml'
- '.github/workflows/labeler.yml'
- '.github/workflows/license-check.yml'
- '.github/workflows/open-api.yml'
- '.github/workflows/publish-snapshot.yml'
- '.github/workflows/recurring-jmh-benchmarks.yml'
- '.github/workflows/site-ci.yml'
- '.github/workflows/spark-ci.yml'
- '.github/workflows/kafka-connect-ci.yml'
- '.github/workflows/stale.yml'
- '.gitignore'
- '.asf.yaml'
- 'dev/**'
- 'docker/**'
- 'mr/**'
- 'flink/**'
- 'spark/**'
- 'docs/**'
- 'site/**'
- 'open-api/**'
- 'format/**'
- '.gitattributes'
- '**/README.md'
- 'CONTRIBUTING.md'
- '**/LICENSE'
- '**/NOTICE'
- 'doap.rdf'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
cancel-in-progress: false

jobs:

# ------------------------------------------------------------------
# Trivy CVE scan — scans bundled jars for known vulnerabilities.
#
# Behaviour:
# - If a CVE is found, the step will fail. However, since this job
# is not a required check, it will not block merging.
# - On push to main/release branches: results are uploaded as
# SARIF to the GitHub Security tab for ongoing tracking.
# - On PRs: SARIF upload is skipped because GitHub's Security
# tab only accepts results from default/protected branches.
# CVE findings are visible in the CI log output instead.
# Runs on push to main/release branches only (not PRs). Results are
# uploaded as SARIF to the GitHub Security tab for ongoing tracking.
# The scan is informational and does not block the build.
# ------------------------------------------------------------------
kafka-connect-cve-scan:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: zulu
java-version: 21
- uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5 # zizmor: ignore[cache-poisoning] -- cache writes are restricted to the default branch by setup-gradle
- uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 # zizmor: ignore[cache-poisoning] -- cache writes are restricted to the default branch by setup-gradle
- name: Build Kafka Connect distribution for scanning
run: |
./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \
Expand All @@ -117,7 +76,7 @@ jobs:
scanners: 'vuln'
severity: 'HIGH,CRITICAL'
limit-severities-for-sarif: true
exit-code: '1'
exit-code: '0'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Print Trivy scan results
Expand All @@ -130,7 +89,7 @@ jobs:
echo "No SARIF file found — scan may have failed to install."
fi
- name: Upload Trivy results to GitHub Security tab
if: always() && github.event_name == 'push'
if: always()
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: 'trivy-results.sarif'
Loading