From 3064209cd52f80f652a5bf0793442420a7ee2e6a Mon Sep 17 00:00:00 2001
From: idafurjes <36131195+idafurjes@users.noreply.github.com>
Date: Wed, 26 May 2021 14:27:40 +0200
Subject: [PATCH] =?UTF-8?q?33369:=20Add=20pipeline=20step=20with=20trivy?=
 =?UTF-8?q?=20scan=20for=20latest=20on=20grafana/grafan=E2=80=A6=20(#34660?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* 33369: Add pipeline step with trivy scan for latest on grafana/grafana to drone config

* 33369:Add docker image scan steps to .drone.star file

* 33369: Add low/medium/unknwon scan into one pipeline step

* 33369:Make starlark generate code only for the given edition

* 33369:Adjust naming and add loop into vulnerability step

* Update scripts/job.star

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
---
 .drone.star      |  3 ++-
 .drone.yml       | 32 +++++++++++++++++++++++++++++
 scripts/job.star | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 scripts/job.star

diff --git a/.drone.star b/.drone.star
index bac6e561223..64e35284af1 100644
--- a/.drone.star
+++ b/.drone.star
@@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines')
 load('scripts/main.star', 'main_pipelines')
 load('scripts/release.star', 'release_pipelines', 'test_release_pipelines')
 load('scripts/version.star', 'version_branch_pipelines')
+load('scripts/job.star', 'cronjobs')
 load('scripts/vault.star', 'secrets')
 
 def main(ctx):
     edition = 'oss'
     return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \
-        test_release_pipelines() + version_branch_pipelines() + secrets()
+        test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets()
diff --git a/.drone.yml b/.drone.yml
index 1f874631a89..8da19a6c170 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -3432,6 +3432,38 @@ depends_on:
 - enterprise-build-release-branch
 - enterprise-windows-release-branch
 
+---
+kind: pipeline
+type: docker
+name: scan-docker-images
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: scan-docker-images-unkown-low-medium-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
+
+- name: scan-docker-images-high-critical-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
+
+trigger:
+  cron:
+  - nightly
+  event:
+  - cron
+
 ---
 kind: secret
 name: dockerconfigjson
diff --git a/scripts/job.star b/scripts/job.star
new file mode 100644
index 00000000000..9ea75e3957f
--- /dev/null
+++ b/scripts/job.star
@@ -0,0 +1,52 @@
+def cronjobs(edition):
+    if edition != 'oss':
+        edition='grafana-enterprise'
+    else:
+        edition='grafana'
+
+    trigger = {
+        'event': 'cron',
+        'cron': 'nightly',
+    }
+    platform_conf = {
+        'os': 'linux',
+        'arch': 'amd64',
+    }
+    steps=[ 
+        scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
+        scan_docker_image_high_critical_vulnerabilities_step(edition),
+    ]
+    return [
+        {
+            'kind': 'pipeline',
+            'type': 'docker',
+            'platform': platform_conf,
+            'name': 'scan-docker-images',
+            'trigger': trigger,
+            'services': [],
+            'steps': steps,
+        }
+    ]
+
+def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
+    tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
+    return {
+        'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }
+
+def scan_docker_image_high_critical_vulnerabilities_step(edition):
+    tags=['latest','main','latest-ubuntu','main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
+
+    return {
+        'name': 'scan-docker-images-high-critical-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }