mirror of
https://github.com/grafana/grafana.git
synced 2024-12-30 10:47:30 -06:00
77cbb4f0f9
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
61 lines
1.8 KiB
YAML
61 lines
1.8 KiB
YAML
version: 2.1
|
|
|
|
aliases:
|
|
# Workflow filters
|
|
- &filter-only-master
|
|
branches:
|
|
only: master
|
|
|
|
jobs:
|
|
scan-docker-image:
|
|
description: "Scans a docker image for vulnerabilities using trivy"
|
|
parameters:
|
|
image:
|
|
type: string
|
|
tag:
|
|
type: string
|
|
docker:
|
|
- image: circleci/buildpack-deps:stretch
|
|
steps:
|
|
- setup_remote_docker
|
|
- restore_cache:
|
|
key: vulnerability-db
|
|
- run:
|
|
name: Install trivy
|
|
command: |
|
|
VERSION=$(
|
|
curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
|
|
grep '"tag_name":' | \
|
|
sed -E 's/.*"v([^"]+)".*/\1/'
|
|
)
|
|
|
|
wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
|
|
tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
|
|
sudo mv trivy /usr/local/bin
|
|
- run:
|
|
name: Clear trivy cache
|
|
command: trivy --clear-cache
|
|
- run:
|
|
name: Scan Docker image for unkown/low/medium vulnerabilities
|
|
command: trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM << parameters.image >>:<< parameters.tag >>
|
|
- run:
|
|
name: Scan Docker image for high/critical vulnerabilities
|
|
command: trivy --exit-code 1 --severity HIGH,CRITICAL << parameters.image >>:<< parameters.tag >>
|
|
- save_cache:
|
|
key: vulnerability-db
|
|
paths:
|
|
- $HOME/.cache/trivy
|
|
|
|
workflows:
|
|
nightly:
|
|
triggers:
|
|
- schedule:
|
|
cron: "0 0 * * *"
|
|
filters: *filter-only-master
|
|
jobs:
|
|
- scan-docker-image:
|
|
matrix:
|
|
parameters:
|
|
image: [grafana/grafana, grafana/grafana-enterprise]
|
|
tag: [latest, master, latest-ubuntu, master-ubuntu]
|