33369: Add pipeline step with trivy scan for latest on grafana/grafan… (#34660)

* 33369: Add pipeline step with trivy scan for latest on grafana/grafana to drone config

* 33369:Add docker image scan steps to .drone.star file

* 33369: Add low/medium/unknwon scan into one pipeline step

* 33369:Make starlark generate code only for the given edition

* 33369:Adjust naming and add loop into vulnerability step

* Update scripts/job.star

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

.drone.star

@@ -2,9 +2,10 @@ load('scripts/pr.star', 'pr_pipelines')
 load('scripts/main.star', 'main_pipelines')
 load('scripts/release.star', 'release_pipelines', 'test_release_pipelines')
 load('scripts/version.star', 'version_branch_pipelines')
+load('scripts/job.star', 'cronjobs')
 load('scripts/vault.star', 'secrets')
 
 def main(ctx):
     edition = 'oss'
     return pr_pipelines(edition=edition) + main_pipelines(edition=edition) + release_pipelines() + \
-        test_release_pipelines() + version_branch_pipelines() + secrets()
+        test_release_pipelines() + version_branch_pipelines() + cronjobs(edition=edition) + secrets()

.drone.yml

@@ -3432,6 +3432,38 @@ depends_on:
 - enterprise-build-release-branch
 - enterprise-windows-release-branch
 
+---
+kind: pipeline
+type: docker
+name: scan-docker-images
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: scan-docker-images-unkown-low-medium-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
+
+- name: scan-docker-images-high-critical-vulnerabilities
+  image: aquasec/trivy:0.18.3
+  commands:
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
+  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
+
+trigger:
+  cron:
+  - nightly
+  event:
+  - cron
+
 ---
 kind: secret
 name: dockerconfigjson

scripts/job.star

@@ -0,0 +1,52 @@
+def cronjobs(edition):
+    if edition != 'oss':
+        edition='grafana-enterprise'
+    else:
+        edition='grafana'
+
+    trigger = {
+        'event': 'cron',
+        'cron': 'nightly',
+    }
+    platform_conf = {
+        'os': 'linux',
+        'arch': 'amd64',
+    }
+    steps=[ 
+        scan_docker_image_unkown_low_medium_vulnerabilities_step(edition),
+        scan_docker_image_high_critical_vulnerabilities_step(edition),
+    ]
+    return [
+        {
+            'kind': 'pipeline',
+            'type': 'docker',
+            'platform': platform_conf,
+            'name': 'scan-docker-images',
+            'trigger': trigger,
+            'services': [],
+            'steps': steps,
+        }
+    ]
+
+def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition):
+    tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t))
+    return {
+        'name': 'scan-docker-images-unkown-low-medium-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }
+
+def scan_docker_image_high_critical_vulnerabilities_step(edition):
+    tags=['latest','main','latest-ubuntu','main-ubuntu']
+    commands=[]
+    for t in tags:
+        commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t))
+
+    return {
+        'name': 'scan-docker-images-high-critical-vulnerabilities',
+        'image': 'aquasec/trivy:0.18.3',
+        'commands': commands,
+    }