diff --git a/.drone.star b/.drone.star index bac6e561223..64e35284af1 100644 --- a/.drone.star +++ b/.drone.star @@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines') load('scripts/main.star', 'main_pipelines') load('scripts/release.star', 'release_pipelines', 'test_release_pipelines') load('scripts/version.star', 'version_branch_pipelines') +load('scripts/job.star', 'cronjobs') load('scripts/vault.star', 'secrets') def main(ctx): edition = 'oss' return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \ - test_release_pipelines() + version_branch_pipelines() + secrets() + test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets() diff --git a/.drone.yml b/.drone.yml index 1f874631a89..8da19a6c170 100644 --- a/.drone.yml +++ b/.drone.yml @@ -3432,6 +3432,38 @@ depends_on: - enterprise-build-release-branch - enterprise-windows-release-branch +--- +kind: pipeline +type: docker +name: scan-docker-images + +platform: + os: linux + arch: amd64 + +steps: +- name: scan-docker-images-unkown-low-medium-vulnerabilities + image: aquasec/trivy:0.18.3 + commands: + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu + +- name: scan-docker-images-high-critical-vulnerabilities + image: aquasec/trivy:0.18.3 + commands: + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu + - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu + +trigger: + cron: + - nightly + event: + - cron + --- kind: secret name: dockerconfigjson diff --git a/scripts/job.star b/scripts/job.star new file mode 100644 index 00000000000..9ea75e3957f --- /dev/null +++ b/scripts/job.star @@ -0,0 +1,52 @@ +def cronjobs(edition): + if edition != 'oss': + edition='grafana-enterprise' + else: + edition='grafana' + + trigger = { + 'event': 'cron', + 'cron': 'nightly', + } + platform_conf = { + 'os': 'linux', + 'arch': 'amd64', + } + steps=[ + scan_docker_image_unkown_low_medium_vulnerabilities_step(edition), + scan_docker_image_high_critical_vulnerabilities_step(edition), + ] + return [ + { + 'kind': 'pipeline', + 'type': 'docker', + 'platform': platform_conf, + 'name': 'scan-docker-images', + 'trigger': trigger, + 'services': [], + 'steps': steps, + } + ] + +def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition): + tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu'] + commands=[] + for t in tags: + commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t)) + return { + 'name': 'scan-docker-images-unkown-low-medium-vulnerabilities', + 'image': 'aquasec/trivy:0.18.3', + 'commands': commands, + } + +def scan_docker_image_high_critical_vulnerabilities_step(edition): + tags=['latest','main','latest-ubuntu','main-ubuntu'] + commands=[] + for t in tags: + commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t)) + + return { + 'name': 'scan-docker-images-high-critical-vulnerabilities', + 'image': 'aquasec/trivy:0.18.3', + 'commands': commands, + }