Skip to content

Commit

Permalink
KAFKA-15882: Add nightly docker image scan job (apache#15013)
Browse files Browse the repository at this point in the history
Reviewers: Mickael Maison <[email protected]>
  • Loading branch information
VedarthConfluent authored Mar 25, 2024
1 parent be17df6 commit e9e007a
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 0 deletions.
44 changes: 44 additions & 0 deletions .github/workflows/docker_scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Docker Image CVE Scanner
on:
schedule:
# This job will run at 3:30 UTC daily
- cron: '30 3 * * *'
workflow_dispatch:
jobs:
scan_jvm:
runs-on: ubuntu-latest
strategy:
matrix:
# This is an array of supported tags. Make sure this array only contains the supported tags
supported_image_tag: ['latest', '3.7.0']
steps:
- name: Run CVE scan
uses: aquasecurity/trivy-action@master
if: always()
with:
image-ref: apache/kafka:${{ matrix.supported_image_tag }}
format: 'table'
severity: 'CRITICAL,HIGH'
output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
exit-code: '1'
- name: Upload CVE scan report
if: always()
uses: actions/upload-artifact@v3
with:
name: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
path: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
20 changes: 20 additions & 0 deletions docker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,26 @@ rc_docker_image: apache/kafka:3.6.0-rc0
promoted_docker_image: apache/kafka:3.6.0
```

Cron job for checking CVEs in supported docker images
-----------------------------------------------------

- `Docker Image CVE Scanner` Github Action Workflow (present in `.github/workflows/docker_scan.yml`) will run nightly CVE scans and generate reports for docker image tags mentioned in the `supported_image_tag` array.
- This workflow is branch independent. Only the workflow in trunk, i.e. the default branch will be considered.
- In case a Critical or High CVE is detected, the workflow will fail.
- It will generate the scan reports that can be checked by the community.
- For every new release, this should be updated with the latest supported docker images.
- For example:-
```
For supporting apache/kafka:3.6.0, apache/kafka:latest and apache/kafka:3.7.0-rc0, supported_image_tag array should be
supported_image_tag: ['3.6.0', 'latest', '3.7.0-rc0']
```
- When RC for a version gets changed or when a bug fix release happens, this should be updated as well.
- For example:-
```
For supporting apache/kafka:3.6.1, apache/kafka:latest and apache/kafka:3.7.0-rc1, tag array should be
supported_image_tag: ['3.6.1', 'latest', '3.7.0-rc1']
```

Local Setup
-----------

Expand Down

0 comments on commit e9e007a

Please sign in to comment.