KAFKA-15882: Add nightly docker image scan job (#15013)

Reviewers: Mickael Maison <mickael.maison@gmail.com>

.github/workflows/docker_scan.yml

@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+  schedule:
+    # This job will run at 3:30 UTC daily
+    - cron: '30 3 * * *'
+  workflow_dispatch:
+jobs:
+  scan_jvm:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # This is an array of supported tags. Make sure this array only contains the supported tags
+        supported_image_tag: ['latest', '3.7.0']
+    steps:
+      - name: Run CVE scan
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+          exit-code: '1'
+      - name: Upload CVE scan report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+          path: scan_report_jvm_${{ matrix.supported_image_tag }}.txt

docker/README.md

@@ -63,6 +63,26 @@ rc_docker_image: apache/kafka:3.6.0-rc0
 promoted_docker_image: apache/kafka:3.6.0
 ```
 
+Cron job for checking CVEs in supported docker images
+-----------------------------------------------------
+
+- `Docker Image CVE Scanner` Github Action Workflow (present in `.github/workflows/docker_scan.yml`) will run nightly CVE scans and generate reports for docker image tags mentioned in the `supported_image_tag` array.
+- This workflow is branch independent. Only the workflow in trunk, i.e. the default branch will be considered.
+- In case a Critical or High CVE is detected, the workflow will fail.
+- It will generate the scan reports that can be checked by the community.
+- For every new release, this should be updated with the latest supported docker images.
+- For example:-
+```
+For supporting apache/kafka:3.6.0, apache/kafka:latest and apache/kafka:3.7.0-rc0, supported_image_tag array should be
+supported_image_tag: ['3.6.0', 'latest', '3.7.0-rc0']
+```
+- When RC for a version gets changed or when a bug fix release happens, this should be updated as well.
+- For example:-
+```
+For supporting apache/kafka:3.6.1, apache/kafka:latest and apache/kafka:3.7.0-rc1, tag array should be
+supported_image_tag: ['3.6.1', 'latest', '3.7.0-rc1']
+```
+
 Local Setup
 -----------