diff --git a/.drone.star b/.drone.star index bac6e561223..64e35284af1 100644 --- a/.drone.star +++ b/.drone.star @@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines') load('scripts/main.star', 'main_pipelines') load('scripts/release.star', 'release_pipelines', 'test_release_pipelines') load('scripts/version.star', 'version_branch_pipelines') +load('scripts/job.star', 'cronjobs') load('scripts/vault.star', 'secrets') def main(ctx): edition = 'oss' return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \ - test_release_pipelines() + version_branch_pipelines() + secrets() + test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets() diff --git a/.drone.yml b/.drone.yml index 1f874631a89..9545c869e0d 100644 --- a/.drone.yml +++ b/.drone.yml @@ -165,7 +165,6 @@ steps: - mkdir -p /hugo/content/docs/grafana - cp -r docs/sources/* /hugo/content/docs/grafana/latest/ - cd /hugo && make prod - failure: ignore depends_on: - initialize - build-frontend-docs @@ -3432,6 +3431,49 @@ depends_on: - enterprise-build-release-branch - enterprise-windows-release-branch +--- +kind: pipeline +type: docker +name: scan-docker-images + +platform: + os: linux + arch: amd64 + +steps: +- name: scan-docker-images-unkown-low-medium-vulnerabilities + image: aquasec/trivy:0.18.3 + commands: + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu + +- name: scan-docker-images-high-critical-vulnerabilities + image: aquasec/trivy:0.18.3 + commands: + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu + +- name: slack-notify-failure + image: plugins/slack + settings: + channel: grafana-backend + template: "Nightly docker image scan job for {{repo.name}} failed: {{build.link}}" + webhook: + from_secret: slack_webhook + when: + status: + - failure + +trigger: + cron: + - nightly + event: + - cron + --- kind: secret name: dockerconfigjson diff --git a/scripts/job.star b/scripts/job.star new file mode 100644 index 00000000000..0d9e721ed9d --- /dev/null +++ b/scripts/job.star @@ -0,0 +1,69 @@ +load('scripts/vault.star', 'from_secret') + +def cronjobs(edition): + if edition != 'oss': + edition='grafana-enterprise' + else: + edition='grafana' + + trigger = { + 'event': 'cron', + 'cron': 'nightly', + } + platform_conf = { + 'os': 'linux', + 'arch': 'amd64', + } + steps=[ + scan_docker_image_unkown_low_medium_vulnerabilities_step(edition), + scan_docker_image_high_critical_vulnerabilities_step(edition), + slack_job_failed_step('grafana-backend'), + ] + return [ + { + 'kind': 'pipeline', + 'type': 'docker', + 'platform': platform_conf, + 'name': 'scan-docker-images', + 'trigger': trigger, + 'services': [], + 'steps': steps, + } + ] + +def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition): + tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu'] + commands=[] + for t in tags: + commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t)) + return { + 'name': 'scan-docker-images-unkown-low-medium-vulnerabilities', + 'image': 'aquasec/trivy:0.18.3', + 'commands': commands, + } + +def scan_docker_image_high_critical_vulnerabilities_step(edition): + tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu'] + commands=[] + for t in tags: + commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t)) + + return { + 'name': 'scan-docker-images-high-critical-vulnerabilities', + 'image': 'aquasec/trivy:0.18.3', + 'commands': commands, + } + +def slack_job_failed_step(channel): + return { + 'name': 'slack-notify-failure', + 'image': 'plugins/slack', + 'settings': { + 'webhook': from_secret('slack_webhook'), + 'channel': channel, + 'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}', + }, + 'when': { + 'status': 'failure' + } + } diff --git a/scripts/lib.star b/scripts/lib.star index 2ccce14c7c2..f6149042a72 100644 --- a/scripts/lib.star +++ b/scripts/lib.star @@ -665,7 +665,6 @@ def build_docs_website_step(): 'name': 'build-docs-website', # Use latest revision here, since we want to catch if it breaks 'image': 'grafana/docs-base:latest', - 'failure': 'ignore', 'depends_on': [ 'initialize', 'build-frontend-docs',