kafka

1
# Licensed to the Apache Software Foundation (ASF) under one or more
2
# contributor license agreements.  See the NOTICE file distributed with
3
# this work for additional information regarding copyright ownership.
4
# The ASF licenses this file to You under the Apache License, Version 2.0
5
# (the "License"); you may not use this file except in compliance with
6
# the License.  You may obtain a copy of the License at
7
#
8
#    http://www.apache.org/licenses/LICENSE-2.0
9
#
10
# Unless required by applicable law or agreed to in writing, software
11
# distributed under the License is distributed on an "AS IS" BASIS,
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
# See the License for the specific language governing permissions and
14
# limitations under the License.
15

16
name: Docker Image CVE Scanner
17
on:
18
  schedule:
19
    # This job will run at 3:30 UTC daily
20
    - cron: '30 3 * * *'
21
  workflow_dispatch:
22
jobs:
23
  scan_jvm:
24
    if: github.repository == 'apache/kafka'
25
    runs-on: ubuntu-latest
26
    strategy:
27
      matrix:
28
        # This is an array of supported tags. Make sure this array only contains the supported tags
29
        supported_image_tag: ['latest', '3.7.1']
30
    steps:
31
      - name: Run CVE scan
32
        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
33
        if: always()
34
        with:
35
          image-ref: apache/kafka:${{ matrix.supported_image_tag }}
36
          format: 'table'
37
          severity: 'CRITICAL,HIGH'
38
          output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
39
          exit-code: '1'
40
      - name: Upload CVE scan report
41
        if: always()
42
        uses: actions/upload-artifact@v4
43
        with:
44
          name: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
45
          path: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
46