From 4210ed0ce987db67be5329b2832f8800db7ba2ce Mon Sep 17 00:00:00 2001 From: rmoff Date: Tue, 24 Feb 2026 14:07:17 +0000 Subject: [PATCH 1/5] Kafka Connect: Add Trivy CVE scan to CI workflow Scan the built Kafka Connect distribution zip for known vulnerabilities using Trivy. This runs alongside the existing tests on PRs and pushes to main/version branches, and also on release candidate tags, giving visibility into CVEs before a release vote starts. - Table output on all runs (visible in CI logs) - SARIF upload to GitHub Security tab on push events Co-Authored-By: Claude Opus 4.6 --- .github/workflows/kafka-connect-ci.yml | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index 0919dc6c755a..75b4b972a065 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -104,3 +104,56 @@ jobs: name: test logs path: | **/build/testlogs + + vulnerability-scan: + runs-on: ubuntu-24.04 + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-java@v5 + with: + distribution: zulu + java-version: 21 + - uses: actions/cache@v5 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + restore-keys: ${{ runner.os }}-gradle- + - name: Build Kafka Connect distribution + run: | + ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \ + :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \ + -Pquick=true -x test -x javadoc + - name: Unpack distribution for scanning + run: | + mkdir -p /tmp/kafka-connect-scan + unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \ + -d /tmp/kafka-connect-scan + - name: Run Trivy vulnerability scan + uses: aquasecurity/trivy-action@0.34.1 + with: + scan-type: 'fs' + scan-ref: '/tmp/kafka-connect-scan' + scanners: 'vuln' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + - name: Run Trivy vulnerability scan (SARIF) + uses: aquasecurity/trivy-action@0.34.1 + if: github.event_name == 'push' + with: + scan-type: 'fs' + scan-ref: '/tmp/kafka-connect-scan' + scanners: 'vuln' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + - name: Upload Trivy results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: github.event_name == 'push' + with: + sarif_file: 'trivy-results.sarif' From 9f77af7cf4a7e86d2f0056c76daff6c113426ab5 Mon Sep 17 00:00:00 2001 From: rmoff Date: Tue, 24 Feb 2026 14:24:52 +0000 Subject: [PATCH 2/5] Pin third-party actions to commit SHAs Match the convention used in spark-ci.yml for third-party actions. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/kafka-connect-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index 75b4b972a065..6fa4560f4219 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -134,7 +134,7 @@ jobs: unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \ -d /tmp/kafka-connect-scan - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@0.34.1 + uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 with: scan-type: 'fs' scan-ref: '/tmp/kafka-connect-scan' @@ -142,7 +142,7 @@ jobs: severity: 'CRITICAL,HIGH' ignore-unfixed: true - name: Run Trivy vulnerability scan (SARIF) - uses: aquasecurity/trivy-action@0.34.1 + uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 if: github.event_name == 'push' with: scan-type: 'fs' @@ -153,7 +153,7 @@ jobs: severity: 'CRITICAL,HIGH' ignore-unfixed: true - name: Upload Trivy results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@c4a7bc332abaec03596ff2803dd7f3ca3a238975 # v3 if: github.event_name == 'push' with: sarif_file: 'trivy-results.sarif' From d52b1b997760ee18de4eb1d1308bd752fd22df5f Mon Sep 17 00:00:00 2001 From: rmoff Date: Fri, 27 Feb 2026 13:53:36 +0000 Subject: [PATCH 3/5] Merge Trivy scan into test job to avoid redundant Gradle build Address review feedback: move the vulnerability scan steps into the existing kafka-connect-tests job (gated on JVM 21) instead of running a separate job that duplicates checkout, setup, and compilation. Also adds inline comments explaining the scan behaviour and explicit exit-code: '0' to ensure the scan is report-only (the default would fail the build on findings). --- .github/workflows/kafka-connect-ci.yml | 41 ++++++++++++-------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index 6fa4560f4219..00307ee1bfb0 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -71,6 +71,9 @@ jobs: kafka-connect-tests: runs-on: ubuntu-24.04 + permissions: + contents: read + security-events: write strategy: max-parallel: 15 matrix: @@ -104,36 +107,28 @@ jobs: name: test logs path: | **/build/testlogs - - vulnerability-scan: - runs-on: ubuntu-24.04 - permissions: - contents: read - security-events: write - steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 - with: - distribution: zulu - java-version: 21 - - uses: actions/cache@v5 - with: - path: | - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} - restore-keys: ${{ runner.os }}-gradle- - - name: Build Kafka Connect distribution + # ------------------------------------------------------------------ + # Trivy CVE scan (JVM 21 only — dependency CVEs are JVM-independent) + # + # Scans bundled jars for CRITICAL/HIGH vulnerabilities. This is + # report-only and does NOT fail the build (exit-code: '0'). + # On push: results are uploaded as SARIF to GitHub's Security tab. + # On PRs: results are printed to the CI log for visibility. + # ------------------------------------------------------------------ + - name: Build Kafka Connect distribution for scanning + if: matrix.jvm == 21 run: | ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \ :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \ -Pquick=true -x test -x javadoc - name: Unpack distribution for scanning + if: matrix.jvm == 21 run: | mkdir -p /tmp/kafka-connect-scan unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \ -d /tmp/kafka-connect-scan - name: Run Trivy vulnerability scan + if: matrix.jvm == 21 uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 with: scan-type: 'fs' @@ -141,9 +136,10 @@ jobs: scanners: 'vuln' severity: 'CRITICAL,HIGH' ignore-unfixed: true + exit-code: '0' - name: Run Trivy vulnerability scan (SARIF) + if: matrix.jvm == 21 && github.event_name == 'push' uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 - if: github.event_name == 'push' with: scan-type: 'fs' scan-ref: '/tmp/kafka-connect-scan' @@ -152,8 +148,9 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' ignore-unfixed: true + exit-code: '0' - name: Upload Trivy results to GitHub Security tab + if: matrix.jvm == 21 && github.event_name == 'push' uses: github/codeql-action/upload-sarif@c4a7bc332abaec03596ff2803dd7f3ca3a238975 # v3 - if: github.event_name == 'push' with: sarif_file: 'trivy-results.sarif' From abfb8dcae4e272ab2f70522460c2c71e12781e7f Mon Sep 17 00:00:00 2001 From: rmoff Date: Fri, 13 Mar 2026 15:27:54 +0000 Subject: [PATCH 4/5] Trivy scan: show red step on CVE findings without blocking CI Change exit-code from 0 to 1 so the scan step fails visibly when CRITICAL/HIGH CVEs are found, but add continue-on-error: true so the overall job still passes. --- .github/workflows/kafka-connect-ci.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index 00307ee1bfb0..a8dfcea0a7a9 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -110,8 +110,9 @@ jobs: # ------------------------------------------------------------------ # Trivy CVE scan (JVM 21 only — dependency CVEs are JVM-independent) # - # Scans bundled jars for CRITICAL/HIGH vulnerabilities. This is - # report-only and does NOT fail the build (exit-code: '0'). + # Scans bundled jars for CRITICAL/HIGH vulnerabilities. + # The scan step shows as red when CVEs are found, but does not block + # the overall CI job (continue-on-error: true). # On push: results are uploaded as SARIF to GitHub's Security tab. # On PRs: results are printed to the CI log for visibility. # ------------------------------------------------------------------ @@ -129,6 +130,7 @@ jobs: -d /tmp/kafka-connect-scan - name: Run Trivy vulnerability scan if: matrix.jvm == 21 + continue-on-error: true uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 with: scan-type: 'fs' @@ -136,7 +138,7 @@ jobs: scanners: 'vuln' severity: 'CRITICAL,HIGH' ignore-unfixed: true - exit-code: '0' + exit-code: '1' - name: Run Trivy vulnerability scan (SARIF) if: matrix.jvm == 21 && github.event_name == 'push' uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 From 1c4c0f422f1491a709796d8d5c1f3b4ac26f6efd Mon Sep 17 00:00:00 2001 From: rmoff Date: Fri, 20 Mar 2026 16:42:27 +0000 Subject: [PATCH 5/5] Test: add trivy-test-* branch trigger and improve scan comments Temporary commit for testing Trivy scan behaviour on fork. Adds trivy-test-* to push branch triggers to test push events. Improves inline comments explaining continue-on-error and exit-code. Removes redundant explicit exit-code: '0' from SARIF scan. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/kafka-connect-ci.yml | 32 +++++++++++++++++++++----- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index a8dfcea0a7a9..62ffe4d7e8a0 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -25,6 +25,7 @@ on: - '0.*' - '1.*' - '2.*' + - 'trivy-test-*' # temporary: testing push-event behaviour on fork tags: - 'apache-iceberg-**' pull_request: @@ -108,13 +109,25 @@ jobs: path: | **/build/testlogs # ------------------------------------------------------------------ - # Trivy CVE scan (JVM 21 only — dependency CVEs are JVM-independent) + # Trivy CVE scan # # Scans bundled jars for CRITICAL/HIGH vulnerabilities. - # The scan step shows as red when CVEs are found, but does not block - # the overall CI job (continue-on-error: true). - # On push: results are uploaded as SARIF to GitHub's Security tab. - # On PRs: results are printed to the CI log for visibility. + # Only runs on JVM 21 — dependency CVEs are JVM-independent so + # a single scan avoids redundant work. + # + # Behaviour: + # - Flag, don't block: the scan step uses exit-code 1 so it + # "fails" when CVEs are found, but continue-on-error keeps + # the overall job green. GitHub Actions shows the step with + # an orange warning icon. This is the only mechanism Actions + # provides for "visible but non-blocking" — there is no way + # to show a red step while keeping the job green. + # - On push to main/release branches: a second scan generates + # SARIF output which is uploaded to the GitHub Security tab + # for ongoing tracking. + # - On PRs: SARIF upload is skipped because GitHub's Security + # tab only accepts results from default/protected branches. + # CVE findings are visible in the CI log output instead. # ------------------------------------------------------------------ - name: Build Kafka Connect distribution for scanning if: matrix.jvm == 21 @@ -128,6 +141,9 @@ jobs: mkdir -p /tmp/kafka-connect-scan unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \ -d /tmp/kafka-connect-scan + # Scan and print results to CI log. exit-code 1 means the step + # fails when CVEs are found; continue-on-error means the job + # continues and the step shows as orange (not red) in the UI. - name: Run Trivy vulnerability scan if: matrix.jvm == 21 continue-on-error: true @@ -139,6 +155,11 @@ jobs: severity: 'CRITICAL,HIGH' ignore-unfixed: true exit-code: '1' + # Generate SARIF for the GitHub Security tab (push only). + # No exit-code set (defaults to 0, always succeeds) because this + # step only needs to produce the file — pass/fail signalling is + # handled by the scan step above. No continue-on-error needed + # either, since this step never fails. - name: Run Trivy vulnerability scan (SARIF) if: matrix.jvm == 21 && github.event_name == 'push' uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1 @@ -150,7 +171,6 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' ignore-unfixed: true - exit-code: '0' - name: Upload Trivy results to GitHub Security tab if: matrix.jvm == 21 && github.event_name == 'push' uses: github/codeql-action/upload-sarif@c4a7bc332abaec03596ff2803dd7f3ca3a238975 # v3