IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docker: Fix nightly vulnerability scan (#25083)

Browse Source 
* Run each trivy scan as a separate step

* Fail build only on high and critical vulnerability

* Remove temporary job to use nightly schedule only
This commit is contained in:
Marcus Efraimsson 2020-05-25 18:56:35 +02:00 committed by GitHub
parent 7bf5b395b6
commit 374fbdf9b6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.circleci/config.yml
View File

@ -972,7 +972,13 @@ jobs:
command: "./scripts/ci-job-succeeded.sh" command: "./scripts/ci-job-succeeded.sh"
when: on_success when: on_success
scan-docker-images: scan-docker-image:
description: "Scans a docker image for vulnerabilities using trivy"
parameters:
image:
type: string
tag:
type: string
docker: docker:
- image: circleci/buildpack-deps:stretch - image: circleci/buildpack-deps:stretch
steps: steps:
@ -995,29 +1001,11 @@ jobs:
name: Clear trivy cache name: Clear trivy cache
command: trivy --clear-cache command: trivy --clear-cache
- run: - run:
name: Scan grafana/grafana:master name: Scan Docker image for unkown/low/medium vulnerabilities
command: trivy --exit-code 1 grafana/grafana:master command: trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM << parameters.image >>:<< parameters.tag >>
- run: - run:
name: Scan grafana/grafana:master-ubuntu name: Scan Docker image for high/critical vulnerabilities
command: trivy --exit-code 1 grafana/grafana:master-ubuntu command: trivy --exit-code 1 --severity HIGH,CRITICAL << parameters.image >>:<< parameters.tag >>
- run:
name: Scan grafana/grafana-enterprise:master
command: trivy --exit-code 1 grafana/grafana-enterprise:master
- run:
name: Scan grafana/grafana-enterprise:master-ubuntu
command: trivy --exit-code 1 grafana/grafana-enterprise:master-ubuntu
- run:
name: Scan grafana/grafana:latest
command: trivy --exit-code 1 grafana/grafana:latest
- run:
name: Scan grafana/grafana:latest-ubuntu
command: trivy --exit-code 1 grafana/grafana:latest-ubuntu
- run:
name: Scan grafana/grafana-enterprise:latest
command: trivy --exit-code 1 grafana/grafana-enterprise:latest
- run:
name: Scan grafana/grafana-enterprise:latest-ubuntu
command: trivy --exit-code 1 grafana/grafana-enterprise:latest-ubuntu
- save_cache: - save_cache:
key: vulnerability-db key: vulnerability-db
paths: paths:
@ -1343,4 +1331,8 @@ workflows:
cron: "0 0 * * *" cron: "0 0 * * *"
filters: *filter-only-master filters: *filter-only-master
jobs: jobs:
- scan-docker-images - scan-docker-image:
matrix:
parameters:
image: [grafana/grafana, grafana/grafana-enterprise]
tag: [latest, master, latest-ubuntu, master-ubuntu]