Chore: Split nightly docker image scan into separate pipelines (#42097)

Split the nightly Docker scan job into separate pipelines, one for each 
image, to easier understand which images fails/includes high/critical 
vulnerabilities.
This commit is contained in:
Marcus Efraimsson 2021-11-23 11:43:00 +01:00 committed by GitHub
parent 8b3725b9f2
commit 6b79393ccc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 142 additions and 57 deletions

View File

@ -3467,31 +3467,110 @@ trigger:
type: docker
---
kind: pipeline
name: scan-docker-images
name: scan-grafana/grafana:latest-image
platform:
arch: amd64
os: linux
services: []
steps:
- commands:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
image: aquasec/trivy:0.18.3
name: scan-docker-images-unkown-low-medium-vulnerabilities
image: aquasec/trivy:0.21.0
name: scan-unkown-low-medium-vulnerabilities
- commands:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
image: aquasec/trivy:0.18.3
name: scan-docker-images-high-critical-vulnerabilities
image: aquasec/trivy:0.21.0
name: scan-high-critical-vulnerabilities
- image: plugins/slack
name: slack-notify-failure
settings:
channel: grafana-backend-ops
template: 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}'
template: 'Nightly docker image scan job for grafana/grafana:latest failed: {{build.link}}'
webhook:
from_secret: slack_webhook_backend
when:
status: failure
trigger:
cron: nightly
event: cron
type: docker
---
kind: pipeline
name: scan-grafana/grafana:main-image
platform:
arch: amd64
os: linux
steps:
- commands:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
image: aquasec/trivy:0.21.0
name: scan-unkown-low-medium-vulnerabilities
- commands:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
image: aquasec/trivy:0.21.0
name: scan-high-critical-vulnerabilities
- image: plugins/slack
name: slack-notify-failure
settings:
channel: grafana-backend-ops
template: 'Nightly docker image scan job for grafana/grafana:main failed: {{build.link}}'
webhook:
from_secret: slack_webhook_backend
when:
status: failure
trigger:
cron: nightly
event: cron
type: docker
---
kind: pipeline
name: scan-grafana/grafana:latest-ubuntu-image
platform:
arch: amd64
os: linux
steps:
- commands:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
image: aquasec/trivy:0.21.0
name: scan-unkown-low-medium-vulnerabilities
- commands:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
image: aquasec/trivy:0.21.0
name: scan-high-critical-vulnerabilities
- image: plugins/slack
name: slack-notify-failure
settings:
channel: grafana-backend-ops
template: 'Nightly docker image scan job for grafana/grafana:latest-ubuntu failed:
{{build.link}}'
webhook:
from_secret: slack_webhook_backend
when:
status: failure
trigger:
cron: nightly
event: cron
type: docker
---
kind: pipeline
name: scan-grafana/grafana:main-ubuntu-image
platform:
arch: amd64
os: linux
steps:
- commands:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
image: aquasec/trivy:0.21.0
name: scan-unkown-low-medium-vulnerabilities
- commands:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
image: aquasec/trivy:0.21.0
name: scan-high-critical-vulnerabilities
- image: plugins/slack
name: slack-notify-failure
settings:
channel: grafana-backend-ops
template: 'Nightly docker image scan job for grafana/grafana:main-ubuntu failed:
{{build.link}}'
webhook:
from_secret: slack_webhook_backend
when:
@ -3520,6 +3599,6 @@ kind: secret
name: drone_token
---
kind: signature
hmac: 506f659ace94bf2db684864909ea29b8963f3655d4f02b5dbd0d3440271be38f
hmac: e88015b452dfab871767948389489cbbf94d34e79054a4c0e251b5d828780269
...

View File

@ -1,67 +1,73 @@
load('scripts/drone/vault.star', 'from_secret')
aquasec_trivy_image = 'aquasec/trivy:0.21.0'
def cronjobs(edition):
return [
scan_docker_image_pipeline(edition, 'latest'),
scan_docker_image_pipeline(edition, 'main'),
scan_docker_image_pipeline(edition, 'latest-ubuntu'),
scan_docker_image_pipeline(edition, 'main-ubuntu'),
]
def cron_job_pipeline(name, steps):
return {
'kind': 'pipeline',
'type': 'docker',
'platform': {
'os': 'linux',
'arch': 'amd64',
},
'name': name,
'trigger': {
'event': 'cron',
'cron': 'nightly',
},
'steps': steps,
}
def scan_docker_image_pipeline(edition, tag):
if edition != 'oss':
edition='grafana-enterprise'
else:
edition='grafana'
trigger = {
'event': 'cron',
'cron': 'nightly',
}
platform_conf = {
'os': 'linux',
'arch': 'amd64',
}
steps=[
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
scan_docker_image_high_critical_vulnerabilities_step(edition),
slack_job_failed_step('grafana-backend-ops'),
]
return [
{
'kind': 'pipeline',
'type': 'docker',
'platform': platform_conf,
'name': 'scan-docker-images',
'trigger': trigger,
'services': [],
'steps': steps,
}
]
dockerImage='grafana/{}:{}'.format(edition, tag)
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
return cron_job_pipeline(
name='scan-' + dockerImage + '-image',
steps=[
scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage),
scan_docker_image_high_critical_vulnerabilities_step(dockerImage),
slack_job_failed_step('grafana-backend-ops', dockerImage),
])
def scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage):
return {
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
'name': 'scan-unkown-low-medium-vulnerabilities',
'image': aquasec_trivy_image,
'commands': [
'trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ' + dockerImage,
],
}
def scan_docker_image_high_critical_vulnerabilities_step(edition):
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
commands=[]
for t in tags:
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
def scan_docker_image_high_critical_vulnerabilities_step(dockerImage):
return {
'name': 'scan-docker-images-high-critical-vulnerabilities',
'image': 'aquasec/trivy:0.18.3',
'commands': commands,
'name': 'scan-high-critical-vulnerabilities',
'image': aquasec_trivy_image,
'commands': [
'trivy --exit-code 1 --severity HIGH,CRITICAL ' + dockerImage,
],
}
def slack_job_failed_step(channel):
def slack_job_failed_step(channel, image):
return {
'name': 'slack-notify-failure',
'image': 'plugins/slack',
'settings': {
'webhook': from_secret('slack_webhook_backend'),
'channel': channel,
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
'template': 'Nightly docker image scan job for ' + image + ' failed: {{build.link}}',
},
'when': {
'status': 'failure'