* Automatic scan Keycloak docker image for vulnerabilities
The changes proposed here will run Trivy scanner twice a day to search
vulnerabilities into our main images.
Resolves#10764
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
* Update .github/workflows/trivy-analysis.yml
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
The changes proposed here will resolve the issues we have with
pull-request after the merge of #10606. It creates 3 different
workflows to conditionally execute the job based on changes submitted.
A detailed explanation about the issue can be found on #10717.
Resolves#10717
The issue was originally caused by high number of flows paths per alert
generated by the LDAP federation module. That was identified taking the
SARIF file generated and running:
```
jq '.runs[0].results | map({query_id: .rule.id, numPaths: .codeFlows |
length})' java.sarif
```
Together we reduced the number of flows paths, adding optimizations to
skip some paths and avoid false alerts.
Co-authored-by: Bruno Oliveira da Silva <bruno@abstractj.com>
Closes#10203
Co-authored-by: Joshua Mulliken <joshua@mulliken.net>
The CodeQL configuration file still has some references to the old
branch `master`, that means that most of the information provided by the
tool must be outdated. Change it is necessary to perform the correct
analysis of the codebase.
Closes#10103
Currently, the CodeQL scanner has been analyzing the whole
codebase,including folders like testsuite, or examples. Those folders
are not relevant from the security standpoint, considering that they do
not expose our users and customers to any risks. They are only relevant
in the context of our pipelines, but never used in production.
Closes#9631
$ git diff --name-only HEAD^
fatal: ambiguous argument 'HEAD^': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
GHA failure on 'Test Clustering on Wildfly' phase. See e.g. recent:
https://github.com/keycloak/keycloak/pull/7705/checks?check_run_id=2023996258
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
within GitHub actions also for changes upgrading Keycloak to next
Wildfly version
Also, update GIT_DIFF evaluation per Hynek's suggestion. Thanks, Hynek!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>