From 41cadd7c19e4069103d588e067805de3a0d03a1b Mon Sep 17 00:00:00 2001
From: Viacheslav Sarzhan <slava.sarzhan@percona.com>
Date: Mon, 21 Jul 2025 17:11:53 +0300
Subject: [PATCH 1/2] K8SPG-837 switch base image to RHEL 10 for PG K8s
 Operator

---
 build/postgres-operator/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/postgres-operator/Dockerfile b/build/postgres-operator/Dockerfile
index f39296f8a1..4ab66f3728 100644
--- a/build/postgres-operator/Dockerfile
+++ b/build/postgres-operator/Dockerfile
@@ -45,7 +45,7 @@ RUN mkdir -p build/_output/bin \
 RUN ./bin/license_aggregator.sh ./cmd/...; \
 	cp -r ./licenses /licenses
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal AS ubi9
+FROM registry.access.redhat.com/ubi10/ubi-minimal AS ubi10
 RUN microdnf update -y && microdnf clean all -y
 
 LABEL name="Percona Postgres Operator" \

From c2be11912b632ea6556aa6a48e00828b33894e71 Mon Sep 17 00:00:00 2001
From: Viacheslav Sarzhan <slava.sarzhan@percona.com>
Date: Fri, 25 Jul 2025 12:38:36 +0300
Subject: [PATCH 2/2] use Snyk for CVE checks

---
 .github/workflows/scan.yml | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index da69cf2c11..9b550cb057 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -30,16 +30,13 @@ jobs:
           export DOCKER_DEFAULT_PLATFORM='linux/arm64'
           make build-docker-image
 
-      - name: Run Trivy vulnerability scanner image (linux/arm64)
-        uses: aquasecurity/trivy-action@0.31.0
+      - name: Run Snyk vulnerability scanner image (linux/arm64)
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
-          version: 'v0.57.1'
+          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64'
+          args: --platform=linux/arm64 --severity-threshold=high --exclude-base-image-vulns --file=./build/postgres-operator/Dockerfile -fail-on=upgradable
 
       - name: Build an image from Dockerfile (linux/amd64)
         run: |
@@ -49,13 +46,11 @@ jobs:
           export DOCKER_DEFAULT_PLATFORM='linux/amd64'
           make build-docker-image
 
-      - name: Run Trivy vulnerability scanner image (linux/amd64)
-        uses: aquasecurity/trivy-action@0.31.0
+      - name: Run Snyk vulnerability scanner image (linux/amd64)
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
-          version: 'v0.57.1'
+          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64'
+          args: --platform=linux/amd64 --severity-threshold=high --exclude-base-image-vulns --file=./build/postgres-operator/Dockerfile -fail-on=upgradable
+