From 2b96386109766c9e82743e0e838dc69baf51e0ad Mon Sep 17 00:00:00 2001
From: PoAn Yang <payang@apache.org>
Date: Wed, 19 Nov 2025 23:38:51 +0800
Subject: [PATCH] KAFKA-19881: change CVE scanner workflow to run on active
 branches

Signed-off-by: PoAn Yang <payang@apache.org>
---
 .github/workflows/docker_scan.yml | 50 +++++++++++++++++++++++++------
 docker/README.md                  | 16 ++++------
 2 files changed, 46 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/docker_scan.yml b/.github/workflows/docker_scan.yml
index 30f9b814b51f3..1d1cac9042f93 100644
--- a/.github/workflows/docker_scan.yml
+++ b/.github/workflows/docker_scan.yml
@@ -15,9 +15,12 @@
 
 name: Docker Image CVE Scanner
 on:
-  schedule:
-    # This job will run at 3:30 UTC daily
-    - cron: '30 3 * * *'
+  pull_request:
+    branches:
+      - trunk
+    #  schedule:
+#    # This job will run at 3:30 UTC daily
+#    - cron: '30 3 * * *'
   workflow_dispatch:
 jobs:
   scan_jvm:
@@ -25,21 +28,50 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        # This is an array of supported tags. Make sure this array only contains the supported tags
-        supported_image_tag: ['latest', '3.9.1', '4.0.1', '4.1.1']
+        # This is an array of supported branches. Make sure this array only contains the supported branches
+        supported_image_branches: ['trunk'] # 4.1, 4.0, 3.9
     steps:
+      - uses: actions/checkout@v5
+        name: Set up Python 3.10
+        with:
+          ref: ${{ matrix.supported_image_branches }}
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.10"
+      - name: Setup Gradle
+        uses: ./.github/actions/setup-gradle
+        with:
+          java-version: 25
+          gradle-cache-read-only: true
+          gradle-cache-write-only: false
+      - name: Compile and validate
+        run: |
+          ./gradlew --build-cache --info $SCAN_ARG check releaseTarGz -x test
+      - name: Setup Docker Compose
+        run: |
+          sudo curl -L "https://github.com/docker/compose/releases/download/v2.30.3/docker-compose-$(uname -s)-$(uname -m)"  -o /usr/local/bin/docker-compose
+          sudo mv /usr/local/bin/docker-compose /usr/bin/docker-compose
+          sudo chmod +x /usr/bin/docker-compose
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r docker/requirements.txt
+      - name: Build image and run tests
+        working-directory: ./docker
+        run: |
+          python docker_build_test.py kafka/test -tag=test -type=jvm --kafka-archive=../core/build/distributions/kafka_2.13-$(./gradlew properties | grep version: | awk '{print $NF}' | head -n 1)-SNAPSHOT.tgz
       - name: Run CVE scan
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         if: always()
         with:
-          image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+          image-ref: kafka/test:test
           format: 'table'
           severity: 'CRITICAL,HIGH'
-          output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+          output: scan_report_jvm_${{ matrix.supported_image_branches }}.txt
           exit-code: '1'
       - name: Upload CVE scan report
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
-          path: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+          name: scan_report_jvm_${{ matrix.supported_image_branches }}.txt
+          path: scan_report_jvm_${{ matrix.supported_image_branches }}.txt
diff --git a/docker/README.md b/docker/README.md
index c4b9d49d0eaf1..245176ffe2844 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -85,24 +85,18 @@ rc_docker_image: apache/kafka-native:3.8.0-rc0
 promoted_docker_image: apache/kafka-native:3.8.0
 ```
 
-Cron job for checking CVEs in supported docker images
+Cron job for checking CVEs in supported branches
 -----------------------------------------------------
 
-- `Docker Image CVE Scanner` Github Action Workflow (present in `.github/workflows/docker_scan.yml`) will run nightly CVE scans and generate reports for docker image tags mentioned in the `supported_image_tag` array.
+- `Docker Image CVE Scanner` Github Action Workflow (present in `.github/workflows/docker_scan.yml`) will run nightly CVE scans and generate reports for supported versions mentioned in the `supported_image_branches` array.
 - This workflow is branch independent. Only the workflow in trunk, i.e. the default branch will be considered.
 - In case a Critical or High CVE is detected, the workflow will fail.
 - It will generate the scan reports that can be checked by the community.
-- For every new release, this should be updated with the latest supported docker images.
+- For every new release, this should be updated with the latest supported branches.
 - For example:-
 ```
-For supporting apache/kafka:3.6.0, apache/kafka:latest and apache/kafka:3.7.0-rc0, supported_image_tag array should be
-supported_image_tag: ['3.6.0', 'latest', '3.7.0-rc0']
-```
-- When RC for a version gets changed or when a bug fix release happens, this should be updated as well.
-- For example:-
-```
-For supporting apache/kafka:3.6.1, apache/kafka:latest and apache/kafka:3.7.0-rc1, tag array should be
-supported_image_tag: ['3.6.1', 'latest', '3.7.0-rc1']
+For supporting branches trunk, 4.1, and 4.0, supported_image_branches array should be
+supported_image_branches: ['trunk', '4.1', '4.0']
 ```
 
 Local Setup