mirror of
https://github.com/grafana/grafana.git
synced 2024-12-24 16:10:22 -06:00
Chore: Split nightly docker image scan into separate pipelines (#42097)
Split the nightly Docker scan job into separate pipelines, one for each image, to easier understand which images fails/includes high/critical vulnerabilities.
This commit is contained in:
parent
8b3725b9f2
commit
6b79393ccc
107
.drone.yml
107
.drone.yml
@ -3467,31 +3467,110 @@ trigger:
|
||||
type: docker
|
||||
---
|
||||
kind: pipeline
|
||||
name: scan-docker-images
|
||||
name: scan-grafana/grafana:latest-image
|
||||
platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
services: []
|
||||
steps:
|
||||
- commands:
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
|
||||
image: aquasec/trivy:0.18.3
|
||||
name: scan-docker-images-unkown-low-medium-vulnerabilities
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-unkown-low-medium-vulnerabilities
|
||||
- commands:
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
|
||||
image: aquasec/trivy:0.18.3
|
||||
name: scan-docker-images-high-critical-vulnerabilities
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-high-critical-vulnerabilities
|
||||
- image: plugins/slack
|
||||
name: slack-notify-failure
|
||||
settings:
|
||||
channel: grafana-backend-ops
|
||||
template: 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}'
|
||||
template: 'Nightly docker image scan job for grafana/grafana:latest failed: {{build.link}}'
|
||||
webhook:
|
||||
from_secret: slack_webhook_backend
|
||||
when:
|
||||
status: failure
|
||||
trigger:
|
||||
cron: nightly
|
||||
event: cron
|
||||
type: docker
|
||||
---
|
||||
kind: pipeline
|
||||
name: scan-grafana/grafana:main-image
|
||||
platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-unkown-low-medium-vulnerabilities
|
||||
- commands:
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-high-critical-vulnerabilities
|
||||
- image: plugins/slack
|
||||
name: slack-notify-failure
|
||||
settings:
|
||||
channel: grafana-backend-ops
|
||||
template: 'Nightly docker image scan job for grafana/grafana:main failed: {{build.link}}'
|
||||
webhook:
|
||||
from_secret: slack_webhook_backend
|
||||
when:
|
||||
status: failure
|
||||
trigger:
|
||||
cron: nightly
|
||||
event: cron
|
||||
type: docker
|
||||
---
|
||||
kind: pipeline
|
||||
name: scan-grafana/grafana:latest-ubuntu-image
|
||||
platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-unkown-low-medium-vulnerabilities
|
||||
- commands:
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-high-critical-vulnerabilities
|
||||
- image: plugins/slack
|
||||
name: slack-notify-failure
|
||||
settings:
|
||||
channel: grafana-backend-ops
|
||||
template: 'Nightly docker image scan job for grafana/grafana:latest-ubuntu failed:
|
||||
{{build.link}}'
|
||||
webhook:
|
||||
from_secret: slack_webhook_backend
|
||||
when:
|
||||
status: failure
|
||||
trigger:
|
||||
cron: nightly
|
||||
event: cron
|
||||
type: docker
|
||||
---
|
||||
kind: pipeline
|
||||
name: scan-grafana/grafana:main-ubuntu-image
|
||||
platform:
|
||||
arch: amd64
|
||||
os: linux
|
||||
steps:
|
||||
- commands:
|
||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-unkown-low-medium-vulnerabilities
|
||||
- commands:
|
||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
|
||||
image: aquasec/trivy:0.21.0
|
||||
name: scan-high-critical-vulnerabilities
|
||||
- image: plugins/slack
|
||||
name: slack-notify-failure
|
||||
settings:
|
||||
channel: grafana-backend-ops
|
||||
template: 'Nightly docker image scan job for grafana/grafana:main-ubuntu failed:
|
||||
{{build.link}}'
|
||||
webhook:
|
||||
from_secret: slack_webhook_backend
|
||||
when:
|
||||
@ -3520,6 +3599,6 @@ kind: secret
|
||||
name: drone_token
|
||||
---
|
||||
kind: signature
|
||||
hmac: 506f659ace94bf2db684864909ea29b8963f3655d4f02b5dbd0d3440271be38f
|
||||
hmac: e88015b452dfab871767948389489cbbf94d34e79054a4c0e251b5d828780269
|
||||
|
||||
...
|
||||
|
@ -1,67 +1,73 @@
|
||||
load('scripts/drone/vault.star', 'from_secret')
|
||||
|
||||
aquasec_trivy_image = 'aquasec/trivy:0.21.0'
|
||||
|
||||
def cronjobs(edition):
|
||||
return [
|
||||
scan_docker_image_pipeline(edition, 'latest'),
|
||||
scan_docker_image_pipeline(edition, 'main'),
|
||||
scan_docker_image_pipeline(edition, 'latest-ubuntu'),
|
||||
scan_docker_image_pipeline(edition, 'main-ubuntu'),
|
||||
]
|
||||
|
||||
def cron_job_pipeline(name, steps):
|
||||
return {
|
||||
'kind': 'pipeline',
|
||||
'type': 'docker',
|
||||
'platform': {
|
||||
'os': 'linux',
|
||||
'arch': 'amd64',
|
||||
},
|
||||
'name': name,
|
||||
'trigger': {
|
||||
'event': 'cron',
|
||||
'cron': 'nightly',
|
||||
},
|
||||
'steps': steps,
|
||||
}
|
||||
|
||||
def scan_docker_image_pipeline(edition, tag):
|
||||
if edition != 'oss':
|
||||
edition='grafana-enterprise'
|
||||
else:
|
||||
edition='grafana'
|
||||
|
||||
trigger = {
|
||||
'event': 'cron',
|
||||
'cron': 'nightly',
|
||||
}
|
||||
platform_conf = {
|
||||
'os': 'linux',
|
||||
'arch': 'amd64',
|
||||
}
|
||||
steps=[
|
||||
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
|
||||
scan_docker_image_high_critical_vulnerabilities_step(edition),
|
||||
slack_job_failed_step('grafana-backend-ops'),
|
||||
]
|
||||
return [
|
||||
{
|
||||
'kind': 'pipeline',
|
||||
'type': 'docker',
|
||||
'platform': platform_conf,
|
||||
'name': 'scan-docker-images',
|
||||
'trigger': trigger,
|
||||
'services': [],
|
||||
'steps': steps,
|
||||
}
|
||||
]
|
||||
dockerImage='grafana/{}:{}'.format(edition, tag)
|
||||
|
||||
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
|
||||
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
||||
commands=[]
|
||||
for t in tags:
|
||||
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
|
||||
return cron_job_pipeline(
|
||||
name='scan-' + dockerImage + '-image',
|
||||
steps=[
|
||||
scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage),
|
||||
scan_docker_image_high_critical_vulnerabilities_step(dockerImage),
|
||||
slack_job_failed_step('grafana-backend-ops', dockerImage),
|
||||
])
|
||||
|
||||
def scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage):
|
||||
return {
|
||||
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
|
||||
'image': 'aquasec/trivy:0.18.3',
|
||||
'commands': commands,
|
||||
'name': 'scan-unkown-low-medium-vulnerabilities',
|
||||
'image': aquasec_trivy_image,
|
||||
'commands': [
|
||||
'trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ' + dockerImage,
|
||||
],
|
||||
}
|
||||
|
||||
def scan_docker_image_high_critical_vulnerabilities_step(edition):
|
||||
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
||||
commands=[]
|
||||
for t in tags:
|
||||
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
|
||||
|
||||
def scan_docker_image_high_critical_vulnerabilities_step(dockerImage):
|
||||
return {
|
||||
'name': 'scan-docker-images-high-critical-vulnerabilities',
|
||||
'image': 'aquasec/trivy:0.18.3',
|
||||
'commands': commands,
|
||||
'name': 'scan-high-critical-vulnerabilities',
|
||||
'image': aquasec_trivy_image,
|
||||
'commands': [
|
||||
'trivy --exit-code 1 --severity HIGH,CRITICAL ' + dockerImage,
|
||||
],
|
||||
}
|
||||
|
||||
def slack_job_failed_step(channel):
|
||||
def slack_job_failed_step(channel, image):
|
||||
return {
|
||||
'name': 'slack-notify-failure',
|
||||
'image': 'plugins/slack',
|
||||
'settings': {
|
||||
'webhook': from_secret('slack_webhook_backend'),
|
||||
'channel': channel,
|
||||
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
|
||||
'template': 'Nightly docker image scan job for ' + image + ' failed: {{build.link}}',
|
||||
},
|
||||
'when': {
|
||||
'status': 'failure'
|
||||
|
Loading…
Reference in New Issue
Block a user