From e9e007aec8004576ac6d34de690f17a3f5fa8af6 Mon Sep 17 00:00:00 2001 From: Vedarth Sharma <142404391+VedarthConfluent@users.noreply.github.com> Date: Mon, 25 Mar 2024 13:53:01 +0530 Subject: [PATCH] KAFKA-15882: Add nightly docker image scan job (#15013) Reviewers: Mickael Maison --- .github/workflows/docker_scan.yml | 44 +++++++++++++++++++++++++++++++ docker/README.md | 20 ++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 .github/workflows/docker_scan.yml diff --git a/.github/workflows/docker_scan.yml b/.github/workflows/docker_scan.yml new file mode 100644 index 0000000000000..7d9ecfe6192b5 --- /dev/null +++ b/.github/workflows/docker_scan.yml @@ -0,0 +1,44 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: + # This job will run at 3:30 UTC daily + - cron: '30 3 * * *' + workflow_dispatch: +jobs: + scan_jvm: + runs-on: ubuntu-latest + strategy: + matrix: + # This is an array of supported tags. Make sure this array only contains the supported tags + supported_image_tag: ['latest', '3.7.0'] + steps: + - name: Run CVE scan + uses: aquasecurity/trivy-action@master + if: always() + with: + image-ref: apache/kafka:${{ matrix.supported_image_tag }} + format: 'table' + severity: 'CRITICAL,HIGH' + output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt + exit-code: '1' + - name: Upload CVE scan report + if: always() + uses: actions/upload-artifact@v3 + with: + name: scan_report_jvm_${{ matrix.supported_image_tag }}.txt + path: scan_report_jvm_${{ matrix.supported_image_tag }}.txt diff --git a/docker/README.md b/docker/README.md index 0232604e61325..54d15c04feb17 100644 --- a/docker/README.md +++ b/docker/README.md @@ -63,6 +63,26 @@ rc_docker_image: apache/kafka:3.6.0-rc0 promoted_docker_image: apache/kafka:3.6.0 ``` +Cron job for checking CVEs in supported docker images +----------------------------------------------------- + +- `Docker Image CVE Scanner` Github Action Workflow (present in `.github/workflows/docker_scan.yml`) will run nightly CVE scans and generate reports for docker image tags mentioned in the `supported_image_tag` array. +- This workflow is branch independent. Only the workflow in trunk, i.e. the default branch will be considered. +- In case a Critical or High CVE is detected, the workflow will fail. +- It will generate the scan reports that can be checked by the community. +- For every new release, this should be updated with the latest supported docker images. +- For example:- +``` +For supporting apache/kafka:3.6.0, apache/kafka:latest and apache/kafka:3.7.0-rc0, supported_image_tag array should be +supported_image_tag: ['3.6.0', 'latest', '3.7.0-rc0'] +``` +- When RC for a version gets changed or when a bug fix release happens, this should be updated as well. +- For example:- +``` +For supporting apache/kafka:3.6.1, apache/kafka:latest and apache/kafka:3.7.0-rc1, tag array should be +supported_image_tag: ['3.6.1', 'latest', '3.7.0-rc1'] +``` + Local Setup -----------