Hello friends! For those of you using the Community Action Maven Release workflow to automate releases, we’ve introduced optional vulnerability scanning with Trivy in v1.0.6 of the action.

What’s New:

This release introduces optional Trivy Security Scanning, which can be run during the release process contained in this action via a Bash script. When enabled, Trivy scans for security vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. To enable the scanner, set the vulnerability-scan input default to true.

If there are no vulnerabilities found, or UNKNOWN, LOW, or MEDIUM vulnerabilities, the action will complete with exit 0. If there is a HIGH or CRITICAL vulnerability found, the release deployment will fail with exit 1. The results of the scan will then be displayed in a sarif.tpl named trivy-results.sarif.

If you have any questions or feedback, please let us know! Thank you as always for your amazing contributions to Camunda! We look forward to continuing to improve release automation in the Camunda Community Hub.