From e100fc927ec00ae3df7ee1420374b10b834c277c Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Mon, 28 Aug 2023 14:52:08 +0300 Subject: [PATCH] Security: Authenticate to GCR for trivy scans (#72658) * Authenticate to GCR for trivy scans # Conflicts: # .drone.yml * verify-starlark * Change secret # Conflicts: # .drone.yml --- .drone.yml | 132 ++++++++++++++++++++++++++++++++- scripts/drone/events/cron.star | 25 +++++++ scripts/drone/vault.star | 5 ++ 3 files changed, 161 insertions(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 61c3eab54d6..94c035d173a 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4164,14 +4164,34 @@ platform: arch: amd64 os: linux steps: +- commands: + - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io + environment: + GCR_CREDENTIALS: + from_secret: gcr_credentials + image: docker:dind + name: authenticate-gcr + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-unknown-low-medium-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-high-critical-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - image: plugins/slack name: slack-notify-failure settings: @@ -4185,6 +4205,10 @@ trigger: cron: nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- clone: retries: 3 @@ -4194,14 +4218,34 @@ platform: arch: amd64 os: linux steps: +- commands: + - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io + environment: + GCR_CREDENTIALS: + from_secret: gcr_credentials + image: docker:dind + name: authenticate-gcr + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-unknown-low-medium-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-high-critical-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - image: plugins/slack name: slack-notify-failure settings: @@ -4215,6 +4259,10 @@ trigger: cron: nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- clone: retries: 3 @@ -4224,14 +4272,34 @@ platform: arch: amd64 os: linux steps: +- commands: + - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io + environment: + GCR_CREDENTIALS: + from_secret: gcr_credentials + image: docker:dind + name: authenticate-gcr + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-unknown-low-medium-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-high-critical-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - image: plugins/slack name: slack-notify-failure settings: @@ -4246,6 +4314,10 @@ trigger: cron: nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- clone: retries: 3 @@ -4255,14 +4327,34 @@ platform: arch: amd64 os: linux steps: +- commands: + - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io + environment: + GCR_CREDENTIALS: + from_secret: gcr_credentials + image: docker:dind + name: authenticate-gcr + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-unknown-low-medium-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-high-critical-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - image: plugins/slack name: slack-notify-failure settings: @@ -4277,6 +4369,10 @@ trigger: cron: nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- clone: retries: 3 @@ -4286,6 +4382,16 @@ platform: arch: amd64 os: linux steps: +- commands: + - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io + environment: + GCR_CREDENTIALS: + from_secret: gcr_credentials + image: docker:dind + name: authenticate-gcr + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM google/cloud-sdk:431.0.0 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/build-container:1.7.5 @@ -4306,8 +4412,13 @@ steps: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/docs-base:dbd975af06 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM cypress/included:9.5.1-node16.14.0-slim-chrome99-ff97 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e:latest + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-unknown-low-medium-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL google/cloud-sdk:431.0.0 - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/build-container:1.7.5 @@ -4328,8 +4439,13 @@ steps: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/docs-base:dbd975af06 - trivy --exit-code 1 --severity HIGH,CRITICAL cypress/included:9.5.1-node16.14.0-slim-chrome99-ff97 - trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e:latest + depends_on: + - authenticate-gcr image: aquasec/trivy:0.21.0 name: scan-high-critical-vulnerabilities + volumes: + - name: docker + path: /var/run/docker.sock - image: plugins/slack name: slack-notify-failure settings: @@ -4343,6 +4459,10 @@ trigger: cron: nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- clone: retries: 3 @@ -4374,6 +4494,10 @@ trigger: cron: grafana-com-nightly event: cron type: docker +volumes: +- host: + path: /var/run/docker.sock + name: docker --- get: name: credentials.json @@ -4543,7 +4667,13 @@ get: kind: secret name: delivery-bot-app-private-key --- +get: + name: service-account + path: secret/data/common/gcr +kind: secret +name: gcr_credentials +--- kind: signature -hmac: 303fb59b2da9a39e5bc46dcb962894895697c46477d0c94b2a65c290e87ea57e +hmac: 37c8cdea5d79479014c2bee1b93433549ba5f8d5f2eef4f599247312c661118c ... diff --git a/scripts/drone/events/cron.star b/scripts/drone/events/cron.star index d73e1074562..2e7e83faa85 100644 --- a/scripts/drone/events/cron.star +++ b/scripts/drone/events/cron.star @@ -24,6 +24,17 @@ def cronjobs(): grafana_com_nightly_pipeline(), ] +def authenticate_gcr_step(): + return { + "name": "authenticate-gcr", + "image": "docker:dind", + "commands": ["echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io"], + "environment": { + "GCR_CREDENTIALS": from_secret("gcr_credentials"), + }, + "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}], + } + def cron_job_pipeline(cronName, name, steps): return { "kind": "pipeline", @@ -41,6 +52,14 @@ def cron_job_pipeline(cronName, name, steps): "retries": 3, }, "steps": steps, + "volumes": [ + { + "name": "docker", + "host": { + "path": "/var/run/docker.sock", + }, + }, + ], } def scan_docker_image_pipeline(tag): @@ -58,6 +77,7 @@ def scan_docker_image_pipeline(tag): cronName = "nightly", name = "scan-" + docker_image + "-image", steps = [ + authenticate_gcr_step(), scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image), scan_docker_image_high_critical_vulnerabilities_step(docker_image), slack_job_failed_step("grafana-backend-ops", docker_image), @@ -75,6 +95,7 @@ def scan_build_test_publish_docker_image_pipeline(): cronName = "nightly", name = "scan-build-test-and-publish-docker-images", steps = [ + authenticate_gcr_step(), scan_docker_image_unknown_low_medium_vulnerabilities_step("all"), scan_docker_image_high_critical_vulnerabilities_step("all"), slack_job_failed_step("grafana-backend-ops", "build-images"), @@ -101,6 +122,8 @@ def scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image): "name": "scan-unknown-low-medium-vulnerabilities", "image": aquasec_trivy_image, "commands": cmds, + "depends_on": ["authenticate-gcr"], + "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}], } def scan_docker_image_high_critical_vulnerabilities_step(docker_image): @@ -123,6 +146,8 @@ def scan_docker_image_high_critical_vulnerabilities_step(docker_image): "name": "scan-high-critical-vulnerabilities", "image": aquasec_trivy_image, "commands": cmds, + "depends_on": ["authenticate-gcr"], + "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}], } def slack_job_failed_step(channel, image): diff --git a/scripts/drone/vault.star b/scripts/drone/vault.star index eb7c9944dca..e133a8cef07 100644 --- a/scripts/drone/vault.star +++ b/scripts/drone/vault.star @@ -148,4 +148,9 @@ def secrets(): "infra/data/ci/grafana-release-eng/grafana-delivery-bot", "app-private-key", ), + vault_secret( + "gcr_credentials", + "secret/data/common/gcr", + "service-account", + ), ]