public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Chore: Split nightly docker image scan into separate pipelines (#42097)

Browse Source 
Split the nightly Docker scan job into separate pipelines, one for each 
image, to easier understand which images fails/includes high/critical 
vulnerabilities.
This commit is contained in:
Marcus Efraimsson
2021-11-23 11:43:00 +01:00
committed by GitHub
parent 8b3725b9f2
commit 6b79393ccc
2 changed files with 142 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/drone/pipelines/cron.star
+49 -43
View File
@@ -1,67 +1,73 @@
load('scripts/drone/vault.star', 'from_secret')
aquasec_trivy_image = 'aquasec/trivy:0.21.0'
def cronjobs(edition):
return [
scan_docker_image_pipeline(edition, 'latest'),
scan_docker_image_pipeline(edition, 'main'),
scan_docker_image_pipeline(edition, 'latest-ubuntu'),
scan_docker_image_pipeline(edition, 'main-ubuntu'),
]
def cron_job_pipeline(name, steps):
return {
'kind': 'pipeline',
'type': 'docker',
'platform': {
'os': 'linux',
'arch': 'amd64',
},
'name': name,
'trigger': {
'event': 'cron',
'cron': 'nightly',
},
'steps': steps,
}
def scan_docker_image_pipeline(edition, tag):
if edition != 'oss':
edition='grafana-enterprise'
else:
edition='grafana'
trigger = {
'event': 'cron',
'cron': 'nightly',
}
platform_conf = {
'os': 'linux',
'arch': 'amd64',
}
steps=[
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
scan_docker_image_high_critical_vulnerabilities_step(edition),
slack_job_failed_step('grafana-backend-ops'),
]
return [
{
'kind': 'pipeline',
'type': 'docker',
'platform': platform_conf,
'name': 'scan-docker-images',
'trigger': trigger,
'services': [],
'steps': steps,
}
]
dockerImage='grafana/{}:{}'.format(edition, tag)
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
return cron_job_pipeline(
name='scan-' + dockerImage + '-image',
steps=[
scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage),
scan_docker_image_high_critical_vulnerabilities_step(dockerImage),
slack_job_failed_step('grafana-backend-ops', dockerImage),
])
def scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage):
return {
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
'name': 'scan-unkown-low-medium-vulnerabilities',
'image': aquasec_trivy_image,
'commands': [
'trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ' + dockerImage,
],
}
def scan_docker_image_high_critical_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
def scan_docker_image_high_critical_vulnerabilities_step(dockerImage):
return {
'name': 'scan-docker-images-high-critical-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
'name': 'scan-high-critical-vulnerabilities',
'image': aquasec_trivy_image,
'commands': [
'trivy --exit-code 1 --severity HIGH,CRITICAL ' + dockerImage,
],
}
def slack_job_failed_step(channel):
def slack_job_failed_step(channel, image):
return {
'name': 'slack-notify-failure',
'image': 'plugins/slack',
'settings': {
'webhook': from_secret('slack_webhook_backend'),
'channel': channel,
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
'template': 'Nightly docker image scan job for ' + image + ' failed: {{build.link}}',
},
'when': {
'status': 'failure'