2021-05-31 10:33:22 -05:00
|
|
|
load('scripts/vault.star', 'from_secret')
|
|
|
|
|
2021-05-26 07:27:40 -05:00
|
|
|
def cronjobs(edition):
|
|
|
|
if edition != 'oss':
|
|
|
|
edition='grafana-enterprise'
|
|
|
|
else:
|
|
|
|
edition='grafana'
|
|
|
|
|
|
|
|
trigger = {
|
|
|
|
'event': 'cron',
|
|
|
|
'cron': 'nightly',
|
|
|
|
}
|
|
|
|
platform_conf = {
|
|
|
|
'os': 'linux',
|
|
|
|
'arch': 'amd64',
|
|
|
|
}
|
2021-06-02 01:49:42 -05:00
|
|
|
steps=[
|
2021-05-26 07:27:40 -05:00
|
|
|
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
|
|
|
|
scan_docker_image_high_critical_vulnerabilities_step(edition),
|
2021-08-16 07:54:52 -05:00
|
|
|
slack_job_failed_step('grafana-backend-ops'),
|
2021-05-26 07:27:40 -05:00
|
|
|
]
|
|
|
|
return [
|
|
|
|
{
|
|
|
|
'kind': 'pipeline',
|
|
|
|
'type': 'docker',
|
|
|
|
'platform': platform_conf,
|
|
|
|
'name': 'scan-docker-images',
|
|
|
|
'trigger': trigger,
|
|
|
|
'services': [],
|
|
|
|
'steps': steps,
|
|
|
|
}
|
|
|
|
]
|
|
|
|
|
|
|
|
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
|
|
|
|
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
|
|
|
commands=[]
|
|
|
|
for t in tags:
|
|
|
|
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
|
|
|
|
return {
|
|
|
|
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
|
|
|
|
'image': 'aquasec/trivy:0.18.3',
|
|
|
|
'commands': commands,
|
|
|
|
}
|
|
|
|
|
|
|
|
def scan_docker_image_high_critical_vulnerabilities_step(edition):
|
2021-05-31 10:33:22 -05:00
|
|
|
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
2021-05-26 07:27:40 -05:00
|
|
|
commands=[]
|
|
|
|
for t in tags:
|
|
|
|
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
|
|
|
|
|
|
|
|
return {
|
|
|
|
'name': 'scan-docker-images-high-critical-vulnerabilities',
|
|
|
|
'image': 'aquasec/trivy:0.18.3',
|
|
|
|
'commands': commands,
|
|
|
|
}
|
2021-05-31 10:33:22 -05:00
|
|
|
|
|
|
|
def slack_job_failed_step(channel):
|
|
|
|
return {
|
|
|
|
'name': 'slack-notify-failure',
|
|
|
|
'image': 'plugins/slack',
|
|
|
|
'settings': {
|
2021-06-02 01:49:42 -05:00
|
|
|
'webhook': from_secret('slack_webhook_backend'),
|
2021-05-31 10:33:22 -05:00
|
|
|
'channel': channel,
|
|
|
|
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
|
|
|
|
},
|
|
|
|
'when': {
|
|
|
|
'status': 'failure'
|
|
|
|
}
|
|
|
|
}
|