Security Scans: Exclude windows container scans (#69977)

* Exclude windows container scans

* Fixes according to reviewer's comments

scripts/drone/pipelines/ci_images.star

@@ -11,8 +11,8 @@ load(
     "from_secret",
 )
 load(
-    "scripts/drone/utils/images.star",
-    "images",
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
 )
 
 def publish_ci_windows_test_image_pipeline():
@@ -28,7 +28,7 @@ def publish_ci_windows_test_image_pipeline():
         steps = [
             {
                 "name": "clone",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                 "environment": {
                     "GITHUB_TOKEN": from_secret("github_token"),
                 },
@@ -39,7 +39,7 @@ def publish_ci_windows_test_image_pipeline():
             },
             {
                 "name": "build-and-publish",
-                "image": images["windows_server_core_image"],
+                "image": windows_images["windows_server_core_image"],
                 "environment": {
                     "DOCKER_USERNAME": from_secret("docker_username"),
                     "DOCKER_PASSWORD": from_secret("docker_password"),

scripts/drone/pipelines/windows.star

@@ -15,8 +15,8 @@ load(
     "windows_wire_install_step",
 )
 load(
-    "scripts/drone/utils/images.star",
-    "images",
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
 )
 
 def windows_test_backend(trigger, edition, ver_mode):
@@ -39,7 +39,7 @@ def windows_test_backend(trigger, edition, ver_mode):
     else:
         steps.extend([{
             "name": "windows-init",
-            "image": images["windows_go_image"],
+            "image": windows_images["windows_go_image"],
             "depends_on": ["clone"],
             "commands": [],
         }])

scripts/drone/steps/lib.star

@@ -11,6 +11,10 @@ load(
     "scripts/drone/utils/images.star",
     "images",
 )
+load(
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
+)
 
 grabpl_version = "v3.0.38"
 
@@ -56,7 +60,7 @@ def wire_install_step():
 def windows_wire_install_step(edition):
     return {
         "name": "wire-install",
-        "image": images["windows_go_image"],
+        "image": windows_images["windows_go_image"],
         "commands": [
             "go install github.com/google/wire/cmd/wire@v0.5.0",
             "wire gen -tags {} ./pkg/server".format(edition),
@@ -78,7 +82,7 @@ def identify_runner_step(platform = "linux"):
     else:
         return {
             "name": "identify-runner",
-            "image": images["windows_image"],
+            "image": windows_images["1809_image"],
             "commands": [
                 "echo $env:DRONE_RUNNER_NAME",
             ],
@@ -235,7 +239,7 @@ def windows_init_enterprise_steps(ver_mode):
             download_grabpl_step(platform = "windows"),
             {
                 "name": "clone",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                 "environment": {
                     "GITHUB_TOKEN": from_secret("github_token"),
                 },
@@ -243,7 +247,7 @@ def windows_init_enterprise_steps(ver_mode):
             },
             {
                 "name": "windows-init",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                 "commands": init_cmds,
                 "depends_on": ["clone"],
                 "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -256,7 +260,7 @@ def download_grabpl_step(platform = "linux"):
     if platform == "windows":
         return {
             "name": "grabpl",
-            "image": images["wix_image"],
+            "image": windows_images["wix_image"],
             "commands": [
                 '$$ProgressPreference = "SilentlyContinue"',
                 "Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/{}/windows/grabpl.exe -OutFile grabpl.exe".format(
@@ -692,7 +696,7 @@ def test_backend_step(image = images["build_image"]):
     }
 
 def windows_test_backend_step():
-    step = test_backend_step(image = images["windows_go_image"])
+    step = test_backend_step(image = windows_images["windows_go_image"])
     return step
 
 def test_backend_integration_step():
@@ -1415,7 +1419,7 @@ def publish_linux_packages_step(edition, package_manager = "deb"):
 def windows_clone_step():
     return {
         "name": "clone",
-        "image": images["wix_image"],
+        "image": windows_images["wix_image"],
         "environment": {
             "GITHUB_TOKEN": from_secret("github_token"),
         },
@@ -1475,7 +1479,7 @@ def get_windows_steps(edition, ver_mode):
             [
                 {
                     "name": "clone",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                     "environment": {
                         "GITHUB_TOKEN": from_secret("github_token"),
                     },
@@ -1483,7 +1487,7 @@ def get_windows_steps(edition, ver_mode):
                 },
                 {
                     "name": "windows-init",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                     "commands": init_cmds,
                     "depends_on": ["clone"],
                     "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -1502,7 +1506,7 @@ def get_windows_steps(edition, ver_mode):
             [
                 {
                     "name": "windows-init",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                     "commands": init_cmds,
                 },
             ],
@@ -1577,7 +1581,7 @@ def get_windows_steps(edition, ver_mode):
         steps.append(
             {
                 "name": "build-windows-installer",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                 "depends_on": [
                     "windows-init",
                 ],

scripts/drone/utils/images.star

@@ -8,17 +8,13 @@ images = {
     "publish_image": "grafana/grafana-ci-deploy:1.3.3",
     "alpine_image": "alpine:3.17.1",
     "curl_image": "byrnedo/alpine-curl:0.1.8",
-    "windows_image": "mcr.microsoft.com/windows:1809",
-    "wix_image": "grafana/ci-wix:0.1.1",
     "go_image": "golang:1.20.4",
-    "windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
     "plugins_slack_image": "plugins/slack",
     "postgres_alpine_image": "postgres:12.3-alpine",
     "mysql5_image": "mysql:5.7.39",
     "mysql8_image": "mysql:8.0.32",
     "redis_alpine_image": "redis:6.2.11-alpine",
     "memcached_alpine_image": "memcached:1.6.9-alpine",
-    "windows_server_core_image": "docker:windowsservercore-1809",
     "package_publish_image": "us.gcr.io/kubernetes-dev/package-publish:latest",
     "openldap_image": "osixia/openldap:1.4.0",
     "drone_downstream_image": "grafana/drone-downstream",

scripts/drone/utils/windows_images.star

@@ -0,0 +1,12 @@
+"""
+This module contains all the windows docker images that are used to build test and publish Grafana.
+All the windows images needed to be in a different file than the other images, since they cannot be scanned
+by trivy. Related issue: https://github.com/aquasecurity/trivy/issues/1392
+"""
+
+windows_images = {
+    "1809_image": "mcr.microsoft.com/windows:1809",
+    "wix_image": "grafana/ci-wix:0.1.1",
+    "windows_server_core_image": "docker:windowsservercore-1809",
+    "windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
+}