33369: Add pipeline step with trivy scan for latest on grafana/grafan… (#34660)

* 33369: Add pipeline step with trivy scan for latest on grafana/grafana to drone config * 33369:Add docker image scan steps to .drone.star file * 33369: Add low/medium/unknwon scan into one pipeline step * 33369:Make starlark generate code only for the given edition * 33369:Adjust naming and add loop into vulnerability step * Update scripts/job.star Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-25 18:55:37 -06:00 · 2021-05-26 14:27:40 +02:00
parent 6fb0560a84
commit 3064209cd5
3 changed files with 86 additions and 1 deletions
--- a/scripts/job.star
+++ b/scripts/job.star
@@ -0,0 +1,52 @@
+def cronjobs(edition):
+    if edition != 'oss':
+        edition='grafana-enterprise'
+    else:
+        edition='grafana'
+
+    trigger = {
+        'event': 'cron',
+        'cron': 'nightly',
+    }
+    platform_conf = {
+        'os': 'linux',
+        'arch': 'amd64',
+    }
+    steps=[ 
+        scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
+        scan_docker_image_high_critical_vulnerabilities_step(edition),
+    ]
+    return [
+        {
+            'kind': 'pipeline',
+            'type': 'docker',
+            'platform': platform_conf,
+            'name': 'scan-docker-images',
+            'trigger': trigger,
+            'services': [],
+            'steps': steps,
+        }
+    ]
+
+def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
+    tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
+    return {
+        'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }
+
+def scan_docker_image_high_critical_vulnerabilities_step(edition):
+    tags=['latest','main','latest-ubuntu','main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
+
+    return {
+        'name': 'scan-docker-images-high-critical-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }