Skip to content

Add vulnerability scan gate to release workflows#1396

Merged
gopalldb merged 1 commit intomainfrom
fix/release-scan-gate
Apr 9, 2026
Merged

Add vulnerability scan gate to release workflows#1396
gopalldb merged 1 commit intomainfrom
fix/release-scan-gate

Conversation

@gopalldb
Copy link
Copy Markdown
Collaborator

@gopalldb gopalldb commented Apr 9, 2026

Summary

Add a hard vulnerability scan gate to both release workflows (uber JAR and thin JAR). Currently the OWASP vulnerability scan runs weekly as a separate workflow — the release can proceed even if critical vulnerabilities are found.

Changes

  • release.yml: Split into two jobs: vulnerability-scan (gate) and publish (needs scan to pass)
  • release-thin.yml: Same pattern: vulnerability-scan gate + publish-thin (needs scan)
  • Scan uses -DfailBuildOnCVSS=7 — fails the build on any CVSS >= 7 (high/critical) finding
  • Scan reports uploaded as artifacts for audit trail
  • Both jobs remain disabled (if: false) per publishing freeze — scan gate activates automatically when releases are re-enabled

Security context

This addresses the supply chain security audit finding Q28: "Can artifacts with failed scans be used by consumers?" Previously YES — now NO.

NO_CHANGELOG=true

This pull request was AI-assisted by Isaac.

@gopalldb
Add vulnerability scan gate to release workflows
18d7baf 
Add a vulnerability-scan job to both release.yml and release-thin.yml
that must pass before the publish job can run. The scan uses OWASP
Dependency Check with -DfailBuildOnCVSS=7, which fails the build if
any dependency has a CVSS score >= 7 (high/critical).

The publish job has `needs: vulnerability-scan`, making the scan a
hard gate — not just a notification. Scan reports are uploaded as
artifacts for audit trail.

Both jobs are currently disabled (if: false) per the publishing freeze.
When releases are re-enabled, the scan gate is automatically active.

Signed-off-by: Gopal Lal <gopal.lal@databricks.com>
Co-authored-by: Isaac
Signed-off-by: Gopal Lal <gopal.lal@databricks.com>
@gopalldb gopalldb requested a review from a team as a code owner April 9, 2026 09:38
@gopalldb gopalldb merged commit cbf02a8 into main Apr 9, 2026
16 checks passed
@gopalldb gopalldb deleted the fix/release-scan-gate branch April 9, 2026 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikrantpuppala vikrantpuppala vikrantpuppala approved these changes

@madhav-db madhav-db Awaiting requested review from madhav-db madhav-db is a code owner automatically assigned from databricks/eng-oss-sql-driver

@samikshya-db samikshya-db Awaiting requested review from samikshya-db samikshya-db is a code owner automatically assigned from databricks/eng-oss-sql-driver

@tejassp-db tejassp-db Awaiting requested review from tejassp-db tejassp-db is a code owner automatically assigned from databricks/eng-oss-sql-driver

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gopalldb @vikrantpuppala