IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Drone: Sync with main (#35015)

Browse Source 
* Drone: Sync with main

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
This commit is contained in:
Arve Knudsen 2021-06-01 09:45:39 +02:00 committed by GitHub
parent 0727a3a66b
commit 1c87edb7cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 114 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.drone.star
View File

@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines')
load('scripts/main.star', 'main_pipelines') load('scripts/main.star', 'main_pipelines')
load('scripts/release.star', 'release_pipelines', 'test_release_pipelines') load('scripts/release.star', 'release_pipelines', 'test_release_pipelines')
load('scripts/version.star', 'version_branch_pipelines') load('scripts/version.star', 'version_branch_pipelines')
load('scripts/job.star', 'cronjobs')
load('scripts/vault.star', 'secrets') load('scripts/vault.star', 'secrets')
def main(ctx): def main(ctx):
edition = 'oss' edition = 'oss'
return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \ return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \
test_release_pipelines() + version_branch_pipelines() + secrets() test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets()

44
.drone.yml
View File

@ -165,7 +165,6 @@ steps:
- mkdir -p /hugo/content/docs/grafana - mkdir -p /hugo/content/docs/grafana
- cp -r docs/sources/* /hugo/content/docs/grafana/latest/ - cp -r docs/sources/* /hugo/content/docs/grafana/latest/
- cd /hugo && make prod - cd /hugo && make prod
failure: ignore
depends_on: depends_on:
- initialize - initialize
- build-frontend-docs - build-frontend-docs
@ -3432,6 +3431,49 @@ depends_on:
- enterprise-build-release-branch - enterprise-build-release-branch
- enterprise-windows-release-branch - enterprise-windows-release-branch
---
kind: pipeline
type: docker
name: scan-docker-images
platform:
os: linux
arch: amd64
steps:
- name: scan-docker-images-unkown-low-medium-vulnerabilities
image: aquasec/trivy:0.18.3
commands:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
- name: scan-docker-images-high-critical-vulnerabilities
image: aquasec/trivy:0.18.3
commands:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
- name: slack-notify-failure
image: plugins/slack
settings:
channel: grafana-backend
template: "Nightly docker image scan job for {{repo.name}} failed: {{build.link}}"
webhook:
from_secret: slack_webhook
when:
status:
- failure
trigger:
cron:
- nightly
event:
- cron
--- ---
kind: secret kind: secret
name: dockerconfigjson name: dockerconfigjson

69
scripts/job.star Normal file
View File

@ -0,0 +1,69 @@
load('scripts/vault.star', 'from_secret')
def cronjobs(edition):
if edition != 'oss':
edition='grafana-enterprise'
else:
edition='grafana'
trigger = {
'event': 'cron',
'cron': 'nightly',
}
platform_conf = {
'os': 'linux',
'arch': 'amd64',
}
steps=[
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
scan_docker_image_high_critical_vulnerabilities_step(edition),
slack_job_failed_step('grafana-backend'),
]
return [
{
'kind': 'pipeline',
'type': 'docker',
'platform': platform_conf,
'name': 'scan-docker-images',
'trigger': trigger,
'services': [],
'steps': steps,
}
]
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
return {
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
}
def scan_docker_image_high_critical_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
return {
'name': 'scan-docker-images-high-critical-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
}
def slack_job_failed_step(channel):
return {
'name': 'slack-notify-failure',
'image': 'plugins/slack',
'settings': {
'webhook': from_secret('slack_webhook'),
'channel': channel,
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
},
'when': {
'status': 'failure'
}
}

1
scripts/lib.star
View File

@ -665,7 +665,6 @@ def build_docs_website_step():
'name': 'build-docs-website', 'name': 'build-docs-website',
# Use latest revision here, since we want to catch if it breaks # Use latest revision here, since we want to catch if it breaks
'image': 'grafana/docs-base:latest', 'image': 'grafana/docs-base:latest',
'failure': 'ignore',
'depends_on': [ 'depends_on': [
'initialize', 'initialize',
'build-frontend-docs', 'build-frontend-docs',