mirror of
https://github.com/grafana/grafana.git
synced 2025-01-12 09:02:30 -06:00
Chore: Split nightly docker image scan into separate pipelines (#42097)
Split the nightly Docker scan job into separate pipelines, one for each image, to easier understand which images fails/includes high/critical vulnerabilities.
This commit is contained in:
parent
8b3725b9f2
commit
6b79393ccc
107
.drone.yml
107
.drone.yml
@ -3467,31 +3467,110 @@ trigger:
|
|||||||
type: docker
|
type: docker
|
||||||
---
|
---
|
||||||
kind: pipeline
|
kind: pipeline
|
||||||
name: scan-docker-images
|
name: scan-grafana/grafana:latest-image
|
||||||
platform:
|
platform:
|
||||||
arch: amd64
|
arch: amd64
|
||||||
os: linux
|
os: linux
|
||||||
services: []
|
|
||||||
steps:
|
steps:
|
||||||
- commands:
|
- commands:
|
||||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
|
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
|
||||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
|
image: aquasec/trivy:0.21.0
|
||||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
|
name: scan-unkown-low-medium-vulnerabilities
|
||||||
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
|
|
||||||
image: aquasec/trivy:0.18.3
|
|
||||||
name: scan-docker-images-unkown-low-medium-vulnerabilities
|
|
||||||
- commands:
|
- commands:
|
||||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
|
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
|
||||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
|
image: aquasec/trivy:0.21.0
|
||||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
|
name: scan-high-critical-vulnerabilities
|
||||||
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
|
|
||||||
image: aquasec/trivy:0.18.3
|
|
||||||
name: scan-docker-images-high-critical-vulnerabilities
|
|
||||||
- image: plugins/slack
|
- image: plugins/slack
|
||||||
name: slack-notify-failure
|
name: slack-notify-failure
|
||||||
settings:
|
settings:
|
||||||
channel: grafana-backend-ops
|
channel: grafana-backend-ops
|
||||||
template: 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}'
|
template: 'Nightly docker image scan job for grafana/grafana:latest failed: {{build.link}}'
|
||||||
|
webhook:
|
||||||
|
from_secret: slack_webhook_backend
|
||||||
|
when:
|
||||||
|
status: failure
|
||||||
|
trigger:
|
||||||
|
cron: nightly
|
||||||
|
event: cron
|
||||||
|
type: docker
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
name: scan-grafana/grafana:main-image
|
||||||
|
platform:
|
||||||
|
arch: amd64
|
||||||
|
os: linux
|
||||||
|
steps:
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-unkown-low-medium-vulnerabilities
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-high-critical-vulnerabilities
|
||||||
|
- image: plugins/slack
|
||||||
|
name: slack-notify-failure
|
||||||
|
settings:
|
||||||
|
channel: grafana-backend-ops
|
||||||
|
template: 'Nightly docker image scan job for grafana/grafana:main failed: {{build.link}}'
|
||||||
|
webhook:
|
||||||
|
from_secret: slack_webhook_backend
|
||||||
|
when:
|
||||||
|
status: failure
|
||||||
|
trigger:
|
||||||
|
cron: nightly
|
||||||
|
event: cron
|
||||||
|
type: docker
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
name: scan-grafana/grafana:latest-ubuntu-image
|
||||||
|
platform:
|
||||||
|
arch: amd64
|
||||||
|
os: linux
|
||||||
|
steps:
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-unkown-low-medium-vulnerabilities
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-high-critical-vulnerabilities
|
||||||
|
- image: plugins/slack
|
||||||
|
name: slack-notify-failure
|
||||||
|
settings:
|
||||||
|
channel: grafana-backend-ops
|
||||||
|
template: 'Nightly docker image scan job for grafana/grafana:latest-ubuntu failed:
|
||||||
|
{{build.link}}'
|
||||||
|
webhook:
|
||||||
|
from_secret: slack_webhook_backend
|
||||||
|
when:
|
||||||
|
status: failure
|
||||||
|
trigger:
|
||||||
|
cron: nightly
|
||||||
|
event: cron
|
||||||
|
type: docker
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
name: scan-grafana/grafana:main-ubuntu-image
|
||||||
|
platform:
|
||||||
|
arch: amd64
|
||||||
|
os: linux
|
||||||
|
steps:
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-unkown-low-medium-vulnerabilities
|
||||||
|
- commands:
|
||||||
|
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
|
||||||
|
image: aquasec/trivy:0.21.0
|
||||||
|
name: scan-high-critical-vulnerabilities
|
||||||
|
- image: plugins/slack
|
||||||
|
name: slack-notify-failure
|
||||||
|
settings:
|
||||||
|
channel: grafana-backend-ops
|
||||||
|
template: 'Nightly docker image scan job for grafana/grafana:main-ubuntu failed:
|
||||||
|
{{build.link}}'
|
||||||
webhook:
|
webhook:
|
||||||
from_secret: slack_webhook_backend
|
from_secret: slack_webhook_backend
|
||||||
when:
|
when:
|
||||||
@ -3520,6 +3599,6 @@ kind: secret
|
|||||||
name: drone_token
|
name: drone_token
|
||||||
---
|
---
|
||||||
kind: signature
|
kind: signature
|
||||||
hmac: 506f659ace94bf2db684864909ea29b8963f3655d4f02b5dbd0d3440271be38f
|
hmac: e88015b452dfab871767948389489cbbf94d34e79054a4c0e251b5d828780269
|
||||||
|
|
||||||
...
|
...
|
||||||
|
@ -1,67 +1,73 @@
|
|||||||
load('scripts/drone/vault.star', 'from_secret')
|
load('scripts/drone/vault.star', 'from_secret')
|
||||||
|
|
||||||
|
aquasec_trivy_image = 'aquasec/trivy:0.21.0'
|
||||||
|
|
||||||
def cronjobs(edition):
|
def cronjobs(edition):
|
||||||
|
return [
|
||||||
|
scan_docker_image_pipeline(edition, 'latest'),
|
||||||
|
scan_docker_image_pipeline(edition, 'main'),
|
||||||
|
scan_docker_image_pipeline(edition, 'latest-ubuntu'),
|
||||||
|
scan_docker_image_pipeline(edition, 'main-ubuntu'),
|
||||||
|
]
|
||||||
|
|
||||||
|
def cron_job_pipeline(name, steps):
|
||||||
|
return {
|
||||||
|
'kind': 'pipeline',
|
||||||
|
'type': 'docker',
|
||||||
|
'platform': {
|
||||||
|
'os': 'linux',
|
||||||
|
'arch': 'amd64',
|
||||||
|
},
|
||||||
|
'name': name,
|
||||||
|
'trigger': {
|
||||||
|
'event': 'cron',
|
||||||
|
'cron': 'nightly',
|
||||||
|
},
|
||||||
|
'steps': steps,
|
||||||
|
}
|
||||||
|
|
||||||
|
def scan_docker_image_pipeline(edition, tag):
|
||||||
if edition != 'oss':
|
if edition != 'oss':
|
||||||
edition='grafana-enterprise'
|
edition='grafana-enterprise'
|
||||||
else:
|
else:
|
||||||
edition='grafana'
|
edition='grafana'
|
||||||
|
|
||||||
trigger = {
|
dockerImage='grafana/{}:{}'.format(edition, tag)
|
||||||
'event': 'cron',
|
|
||||||
'cron': 'nightly',
|
|
||||||
}
|
|
||||||
platform_conf = {
|
|
||||||
'os': 'linux',
|
|
||||||
'arch': 'amd64',
|
|
||||||
}
|
|
||||||
steps=[
|
|
||||||
scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
|
|
||||||
scan_docker_image_high_critical_vulnerabilities_step(edition),
|
|
||||||
slack_job_failed_step('grafana-backend-ops'),
|
|
||||||
]
|
|
||||||
return [
|
|
||||||
{
|
|
||||||
'kind': 'pipeline',
|
|
||||||
'type': 'docker',
|
|
||||||
'platform': platform_conf,
|
|
||||||
'name': 'scan-docker-images',
|
|
||||||
'trigger': trigger,
|
|
||||||
'services': [],
|
|
||||||
'steps': steps,
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
||||||
def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
|
return cron_job_pipeline(
|
||||||
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
name='scan-' + dockerImage + '-image',
|
||||||
commands=[]
|
steps=[
|
||||||
for t in tags:
|
scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage),
|
||||||
commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
|
scan_docker_image_high_critical_vulnerabilities_step(dockerImage),
|
||||||
|
slack_job_failed_step('grafana-backend-ops', dockerImage),
|
||||||
|
])
|
||||||
|
|
||||||
|
def scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage):
|
||||||
return {
|
return {
|
||||||
'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
|
'name': 'scan-unkown-low-medium-vulnerabilities',
|
||||||
'image': 'aquasec/trivy:0.18.3',
|
'image': aquasec_trivy_image,
|
||||||
'commands': commands,
|
'commands': [
|
||||||
|
'trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ' + dockerImage,
|
||||||
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
def scan_docker_image_high_critical_vulnerabilities_step(edition):
|
def scan_docker_image_high_critical_vulnerabilities_step(dockerImage):
|
||||||
tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
|
|
||||||
commands=[]
|
|
||||||
for t in tags:
|
|
||||||
commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
|
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'name': 'scan-docker-images-high-critical-vulnerabilities',
|
'name': 'scan-high-critical-vulnerabilities',
|
||||||
'image': 'aquasec/trivy:0.18.3',
|
'image': aquasec_trivy_image,
|
||||||
'commands': commands,
|
'commands': [
|
||||||
|
'trivy --exit-code 1 --severity HIGH,CRITICAL ' + dockerImage,
|
||||||
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
def slack_job_failed_step(channel):
|
def slack_job_failed_step(channel, image):
|
||||||
return {
|
return {
|
||||||
'name': 'slack-notify-failure',
|
'name': 'slack-notify-failure',
|
||||||
'image': 'plugins/slack',
|
'image': 'plugins/slack',
|
||||||
'settings': {
|
'settings': {
|
||||||
'webhook': from_secret('slack_webhook_backend'),
|
'webhook': from_secret('slack_webhook_backend'),
|
||||||
'channel': channel,
|
'channel': channel,
|
||||||
'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}',
|
'template': 'Nightly docker image scan job for ' + image + ' failed: {{build.link}}',
|
||||||
},
|
},
|
||||||
'when': {
|
'when': {
|
||||||
'status': 'failure'
|
'status': 'failure'
|
||||||
|
Loading…
Reference in New Issue
Block a user