Drone: Sync with main (#35015)

* Drone: Sync with main Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-25 18:55:37 -06:00 · 2021-06-01 09:45:39 +02:00 · 2021-06-01 09:45:39 +02:00 · 1c87edb7cf
commit 1c87edb7cf
parent 0727a3a66b
4 changed files with 114 additions and 3 deletions
--- a/.drone.star
+++ b/.drone.star
@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines')
 load('scripts/main.star', 'main_pipelines')
 load('scripts/release.star', 'release_pipelines', 'test_release_pipelines')
 load('scripts/version.star', 'version_branch_pipelines')
+load('scripts/job.star', 'cronjobs')
 load('scripts/vault.star', 'secrets')

 def main(ctx):
    edition = 'oss'
    return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \
-        test_release_pipelines() + version_branch_pipelines() + secrets()
+        test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets()
--- a/.drone.yml
+++ b/.drone.yml
@ -165,7 +165,6 @@ steps:
  - mkdir -p /hugo/content/docs/grafana
  - cp -r docs/sources/* /hugo/content/docs/grafana/latest/
  - cd /hugo && make prod
-  failure: ignore
  depends_on:
  - initialize
  - build-frontend-docs
@ -3432,6 +3431,49 @@ depends_on:
 - enterprise-build-release-branch
 - enterprise-windows-release-branch

+---
+kind: pipeline
+type: docker
+name: scan-docker-images
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: scan-docker-images-unkown-low-medium-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
+
+- name: scan-docker-images-high-critical-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
+
+- name: slack-notify-failure
+  image: plugins/slack
+  settings:
+    channel: grafana-backend
+    template: "Nightly docker image scan job for {{repo.name}} failed: {{build.link}}"
+    webhook:
+      from_secret: slack_webhook
+  when:
+    status:
+    - failure
+
+trigger:
+  cron:
+  - nightly
+  event:
+  - cron
+
 ---
 kind: secret
 name: dockerconfigjson
--- a/scripts/job.star
+++ b/scripts/job.star
@ -0,0 +1,69 @@
+load('scripts/vault.star', 'from_secret')
+
+def cronjobs(edition):
+    if edition != 'oss':
+        edition='grafana-enterprise'
+    else:
+        edition='grafana'
+
+    trigger = {
+        'event': 'cron',
+        'cron': 'nightly',
+    }
+    platform_conf = {
+        'os': 'linux',
+        'arch': 'amd64',
+    }
+    steps=[ 
+        scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
+        scan_docker_image_high_critical_vulnerabilities_step(edition),
+        slack_job_failed_step('grafana-backend'),
+    ]
+    return [
+        {
+            'kind': 'pipeline',
+            'type': 'docker',
+            'platform': platform_conf,
+            'name': 'scan-docker-images',
+            'trigger': trigger,
+            'services': [],
+            'steps': steps,
+        }
+    ]
+
+def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
+    tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
+    return {
+        'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }
+
+def scan_docker_image_high_critical_vulnerabilities_step(edition):
+    tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
+
+    return {
+        'name': 'scan-docker-images-high-critical-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }
+
+def slack_job_failed_step(channel):
+    return {
+        'name': 'slack-notify-failure',
+        'image': 'plugins/slack',
+        'settings': {
+            'webhook': from_secret('slack_webhook'),
+            'channel': channel,
+            'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
+        },
+        'when': {
+            'status': 'failure'
+        }
+    }
--- a/scripts/lib.star
+++ b/scripts/lib.star
@ -665,7 +665,6 @@ def build_docs_website_step():
        'name': 'build-docs-website',
        # Use latest revision here, since we want to catch if it breaks
        'image': 'grafana/docs-base:latest',
-        'failure': 'ignore',
        'depends_on': [
            'initialize',
            'build-frontend-docs',