(superset) branch master updated: feat(ci): add container security scan for image built for commits merged to mainline (#36604)

Tue, 06 Jan 2026 16:05:01 -0800 

This is an automated email from the ASF dual-hosted git repository.

hainenber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 9968393e4c feat(ci): add container security scan for image built for 
commits merged to mainline (#36604)
9968393e4c is described below

commit 9968393e4c3a269d6a36c4ec1a8704ce184f0851
Author: Đỗ Trọng Hải <[email protected]>
AuthorDate: Wed Jan 7 07:04:46 2026 +0700

    feat(ci): add container security scan for image built for commits merged to 
mainline (#36604)
---
 .github/workflows/docker.yml | 17 +++++++++++++++++
 Dockerfile                   |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 34aaeb8137..9257b26fc5 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -101,6 +101,23 @@ jobs:
           docker images $IMAGE_TAG
           docker history $IMAGE_TAG
 
+      # Scan for vulnerabilities in built container image after pushes to 
mainline branch.
+      - name: Run Trivy container image vulnerabity scan
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master' 
&& (steps.check.outputs.python || steps.check.outputs.frontend || 
steps.check.outputs.docker) && matrix.build_preset == 'lean'
+        uses: 
aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: ${{ env.IMAGE_TAG }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          vuln-type: 'os'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master' 
&& (steps.check.outputs.python || steps.check.outputs.frontend || 
steps.check.outputs.docker) && matrix.build_preset == 'lean'
+        uses: 
github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # 
v4.31.8
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: docker-compose sanity check
         if: (steps.check.outputs.python || steps.check.outputs.frontend || 
steps.check.outputs.docker) && matrix.build_preset == 'dev'
         shell: bash
diff --git a/Dockerfile b/Dockerfile
index b496164069..e989ecba37 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -160,7 +160,7 @@ ENV SUPERSET_HOME="/app/superset_home" \
 COPY --chmod=755 docker/entrypoints /app/docker/entrypoints
 
 WORKDIR /app
-# Set up necessary directories and user
+# Set up necessary directories
 RUN mkdir -p \
       ${PYTHONPATH} \
       superset/static \

Reply via email to