apache · rmoff · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 17, 2026
diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml
@@ -74,6 +74,9 @@ jobs:
 
   kafka-connect-tests:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
     strategy:
       max-parallel: 15
       matrix:
@@ -103,3 +106,60 @@ jobs:
         name: test logs
         path: |
           **/build/testlogs
+    # ------------------------------------------------------------------
+    # Trivy CVE scan
+    #
+    # Scans bundled jars for known vulnerabilities.
+    # Only runs on JVM 21 — dependency CVEs are JVM-independent so
+    # a single scan avoids redundant work.
+    #
+    # Behaviour:
+    #   - If a CVE is found, the step will fail. However, since this job
+    #     is not a required one, it will not block merging.
+    #   - On push to main/release branches: results are uploaded as
+    #     SARIF to the GitHub Security tab for ongoing tracking.
+    #   - On PRs: SARIF upload is skipped because GitHub's Security
+    #     tab only accepts results from default/protected branches.
+    #     CVE findings are visible in the CI log output instead.
+    # ------------------------------------------------------------------
+    - name: Build Kafka Connect distribution for scanning
+      if: matrix.jvm == 21
+      run: |
+        ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \
+          :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \
+          -Pquick=true -x test -x javadoc
+    - name: Unpack distribution for scanning
+      if: matrix.jvm == 21
+      run: |
+        mkdir -p /tmp/kafka-connect-scan
+        unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \
+          -d /tmp/kafka-connect-scan
+    # Scan and output results as SARIF (for upload on push) while also
+    # printing a human-readable summary to the CI log.
+    - name: Run Trivy vulnerability scan
+      if: matrix.jvm == 21
+      uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2
+      with:
+        scan-type: 'rootfs'
+        scan-ref: '/tmp/kafka-connect-scan'
+        scanners: 'vuln'
+        ignore-unfixed: true
+        exit-code: '1'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+    # Print human-readable results to the CI log so they're visible
+    # without downloading the SARIF file.
+    - name: Print Trivy scan results
+      if: always() && matrix.jvm == 21
+      run: |
+        if [ -f trivy-results.sarif ]; then
+          echo "## Trivy CVE Scan Results"
+          jq -r '.runs[].results[] | "- \(.ruleId): \(.message.text)"' trivy-results.sarif 2>/dev/null || echo "No findings or unable to parse SARIF."
+        else
+          echo "No SARIF file found — scan may have failed to install."
+        fi
+    - name: Upload Trivy results to GitHub Security tab
+      if: always() && matrix.jvm == 21 && github.event_name == 'push'
+      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      with:
+        sarif_file: 'trivy-results.sarif'