From 22b1a8bc431476fe2bc19d6d0cc9f52d1b95bc56 Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Tue, 7 Apr 2026 17:11:30 +0300 Subject: [PATCH 1/3] [improve][ci] Replace trivy-action with sandboxed-trivy-action --- .github/workflows/pulsar-ci.yaml | 38 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml index 6b18ba54a8875..d16afeaef94a8 100644 --- a/.github/workflows/pulsar-ci.yaml +++ b/.github/workflows/pulsar-ci.yaml @@ -658,25 +658,25 @@ jobs: src/check-binary-license.sh ./distribution/server/build/distributions/apache-pulsar-*-bin.tar.gz src/check-binary-license.sh ./distribution/shell/build/distributions/apache-pulsar-shell-*-bin.tar.gz -# - name: Run Trivy container scan -# id: trivy_scan -# uses: aquasecurity/trivy-action@v0.35.0 -# if: ${{ github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} -# continue-on-error: true -# with: -# image-ref: "apachepulsar/pulsar:latest" -# scanners: vuln -# severity: CRITICAL,HIGH,MEDIUM,LOW -# limit-severities-for-sarif: true -# format: 'sarif' -# output: 'trivy-results.sarif' -# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# if: ${{ steps.trivy_scan.outcome == 'success' && github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} -# continue-on-error: true -# with: -# sarif_file: 'trivy-results.sarif' + - name: Run Trivy container scan + id: trivy_scan + uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb + if: ${{ github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} + continue-on-error: true + with: + image-ref: "apachepulsar/pulsar:latest" + scanners: vuln + severity: CRITICAL,HIGH,MEDIUM,LOW + limit-severities-for-sarif: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: ${{ steps.trivy_scan.outcome == 'success' && github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} + continue-on-error: true + with: + sarif_file: 'trivy-results.sarif' - name: Save docker image to file run: | From 5a03b76b0083a77b64403f168b17308e0bd1f968 Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Tue, 7 Apr 2026 17:32:18 +0300 Subject: [PATCH 2/3] [improve][ci] Use scan-type/scan-ref inputs for sandboxed-trivy-action --- .github/workflows/pulsar-ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml index d16afeaef94a8..bd08c0f90836f 100644 --- a/.github/workflows/pulsar-ci.yaml +++ b/.github/workflows/pulsar-ci.yaml @@ -664,7 +664,8 @@ jobs: if: ${{ github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} continue-on-error: true with: - image-ref: "apachepulsar/pulsar:latest" + scan-type: 'image' + scan-ref: "apachepulsar/pulsar:latest" scanners: vuln severity: CRITICAL,HIGH,MEDIUM,LOW limit-severities-for-sarif: true From c32da754e8d9c84618b46f5ab568cd2358cc8aaa Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Tue, 7 Apr 2026 17:34:15 +0300 Subject: [PATCH 3/3] [improve][ci] Upgrade codeql-action/upload-sarif from v3 to v4 --- .github/workflows/pulsar-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml index bd08c0f90836f..7a835dc0a5371 100644 --- a/.github/workflows/pulsar-ci.yaml +++ b/.github/workflows/pulsar-ci.yaml @@ -673,7 +673,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: ${{ steps.trivy_scan.outcome == 'success' && github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} continue-on-error: true with: