How to scan the security issues

This section outlines the steps to use tools to scan Apache Gluten (incubating) source code and make sure no vulnerability issues in the code. All projects under the Apache umbrella must adhere to the Apache Release Policy. This guide is designed to assist you in comprehending the policy and navigating the process of releasing projects at Apache.

Scan Security Process

Before every Apache Gluten (incubating) release, we need to ensure there is no vulnerability issue in the source code. We use Trivy as the tool to scan all the security issues.

  1. Install Trivy, please follow the steps to install Trivy: Trivy Installation

  2. Configuring Trivy, please follow the guide to configure Trivy for specific operation: Trivy Configuration

  3. Run Trivy File System Scan with the source code. Below is an example about how we run Trivy scan with Apache Gluten (incubating) source code. You can use your own tpl file as a template.

trivy fs --list-all-pkgs --format template --template "@/PATH/TO/csv.tpl" --output ./trivy-report.csv /PATH/TO/GLUTEN_LOCATION/
  1. Open the report file and check if there is any vulnerability issue highlighted. We must guarantee all the vulnerability issue has been solved before an official release.

Back to top

Copyright © 2024 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache Gluten, Gluten, Apache, the Apache feather logo, and the Apache Gluten project logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.

Apache Gluten is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.

Privacy Policy