apache
[feat][ci] Add Trivy container scan Github workflow
This commit introduces a Github Actions workflow that runs a Trivy container scan on the following Docker containers:
- apachepulsar/pulsar:3.2.0
- apachepulsar/pulsar-all:3.2.0
The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities of HIGH or CRITICAL severity it sends an email including the report to the Pulsar DEV mailing list as well as upload the report to the workflow run in Github.
Motivation
Our dependencies are currently scanned via the OWASP dependency checker but we have nothing checking on the vulnerability of our published Docker containers.
Modifications
As described in the summary, this adds a scheduled workflow that uses Trivy to run a scan against our published Docker containers.
Verifying this change
As always, Github Actions workflow are a pain to test. I have tested this one in isolation in prototype repository and it works well. We will not be able to verify it until it gets merged into mainline branch.
Does this pull request potentially affect one of the following parts:
If the box was checked, please highlight the changes
- [ ] Dependencies (add or upgrade a dependency)
- [ ] The public API
- [ ] The schema
- [ ] The default values of configurations
- [ ] The threading model
- [ ] The binary protocol
- [ ] The REST endpoints
- [ ] The admin CLI options
- [ ] The metrics
- [ ] Anything that affects deployment
Documentation
- [ ]
doc - [ ]
doc-required - [x]
doc-not-needed - [ ]
doc-complete
Matching PR in forked repository
PR in forked repository: https://github.com/onobc/pulsar/pull/4
I tested this thoroughly in a personal repo before submitting this PR. Here is what the output looks like:
Github Actions UI
Generated email
Attached email report
[!NOTE] This is the report in
tableformat, we could instead usejson
