From 6b79393cccae71c4aae15777a70d26676ed77dc6 Mon Sep 17 00:00:00 2001 From: Marcus Efraimsson Date: Tue, 23 Nov 2021 11:43:00 +0100 Subject: [PATCH] Chore: Split nightly docker image scan into separate pipelines (#42097) Split the nightly Docker scan job into separate pipelines, one for each image, to easier understand which images fails/includes high/critical vulnerabilities. --- .drone.yml | 101 ++++++++++++++++++++++++++---- scripts/drone/pipelines/cron.star | 92 ++++++++++++++------------- 2 files changed, 139 insertions(+), 54 deletions(-) diff --git a/.drone.yml b/.drone.yml index 635e4ed43fe..75a3f76a33d 100644 --- a/.drone.yml +++ b/.drone.yml @@ -3467,31 +3467,110 @@ trigger: type: docker --- kind: pipeline -name: scan-docker-images +name: scan-grafana/grafana:latest-image platform: arch: amd64 os: linux -services: [] steps: - commands: - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest - - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main - - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu - - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu - image: aquasec/trivy:0.18.3 - name: scan-docker-images-unkown-low-medium-vulnerabilities + image: aquasec/trivy:0.21.0 + name: scan-unkown-low-medium-vulnerabilities - commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest + image: aquasec/trivy:0.21.0 + name: scan-high-critical-vulnerabilities +- image: plugins/slack + name: slack-notify-failure + settings: + channel: grafana-backend-ops + template: 'Nightly docker image scan job for grafana/grafana:latest failed: {{build.link}}' + webhook: + from_secret: slack_webhook_backend + when: + status: failure +trigger: + cron: nightly + event: cron +type: docker +--- +kind: pipeline +name: scan-grafana/grafana:main-image +platform: + arch: amd64 + os: linux +steps: +- commands: + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main + image: aquasec/trivy:0.21.0 + name: scan-unkown-low-medium-vulnerabilities +- commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main + image: aquasec/trivy:0.21.0 + name: scan-high-critical-vulnerabilities +- image: plugins/slack + name: slack-notify-failure + settings: + channel: grafana-backend-ops + template: 'Nightly docker image scan job for grafana/grafana:main failed: {{build.link}}' + webhook: + from_secret: slack_webhook_backend + when: + status: failure +trigger: + cron: nightly + event: cron +type: docker +--- +kind: pipeline +name: scan-grafana/grafana:latest-ubuntu-image +platform: + arch: amd64 + os: linux +steps: +- commands: + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu + image: aquasec/trivy:0.21.0 + name: scan-unkown-low-medium-vulnerabilities +- commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu + image: aquasec/trivy:0.21.0 + name: scan-high-critical-vulnerabilities +- image: plugins/slack + name: slack-notify-failure + settings: + channel: grafana-backend-ops + template: 'Nightly docker image scan job for grafana/grafana:latest-ubuntu failed: + {{build.link}}' + webhook: + from_secret: slack_webhook_backend + when: + status: failure +trigger: + cron: nightly + event: cron +type: docker +--- +kind: pipeline +name: scan-grafana/grafana:main-ubuntu-image +platform: + arch: amd64 + os: linux +steps: +- commands: + - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu + image: aquasec/trivy:0.21.0 + name: scan-unkown-low-medium-vulnerabilities +- commands: - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu - image: aquasec/trivy:0.18.3 - name: scan-docker-images-high-critical-vulnerabilities + image: aquasec/trivy:0.21.0 + name: scan-high-critical-vulnerabilities - image: plugins/slack name: slack-notify-failure settings: channel: grafana-backend-ops - template: 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}' + template: 'Nightly docker image scan job for grafana/grafana:main-ubuntu failed: + {{build.link}}' webhook: from_secret: slack_webhook_backend when: @@ -3520,6 +3599,6 @@ kind: secret name: drone_token --- kind: signature -hmac: 506f659ace94bf2db684864909ea29b8963f3655d4f02b5dbd0d3440271be38f +hmac: e88015b452dfab871767948389489cbbf94d34e79054a4c0e251b5d828780269 ... diff --git a/scripts/drone/pipelines/cron.star b/scripts/drone/pipelines/cron.star index 3602f027ed5..4d1ca1b2e2c 100644 --- a/scripts/drone/pipelines/cron.star +++ b/scripts/drone/pipelines/cron.star @@ -1,67 +1,73 @@ load('scripts/drone/vault.star', 'from_secret') +aquasec_trivy_image = 'aquasec/trivy:0.21.0' + def cronjobs(edition): + return [ + scan_docker_image_pipeline(edition, 'latest'), + scan_docker_image_pipeline(edition, 'main'), + scan_docker_image_pipeline(edition, 'latest-ubuntu'), + scan_docker_image_pipeline(edition, 'main-ubuntu'), + ] + +def cron_job_pipeline(name, steps): + return { + 'kind': 'pipeline', + 'type': 'docker', + 'platform': { + 'os': 'linux', + 'arch': 'amd64', + }, + 'name': name, + 'trigger': { + 'event': 'cron', + 'cron': 'nightly', + }, + 'steps': steps, + } + +def scan_docker_image_pipeline(edition, tag): if edition != 'oss': edition='grafana-enterprise' else: edition='grafana' - trigger = { - 'event': 'cron', - 'cron': 'nightly', - } - platform_conf = { - 'os': 'linux', - 'arch': 'amd64', - } - steps=[ - scan_docker_image_unkown_low_medium_vulnerabilities_step(edition), - scan_docker_image_high_critical_vulnerabilities_step(edition), - slack_job_failed_step('grafana-backend-ops'), - ] - return [ - { - 'kind': 'pipeline', - 'type': 'docker', - 'platform': platform_conf, - 'name': 'scan-docker-images', - 'trigger': trigger, - 'services': [], - 'steps': steps, - } - ] + dockerImage='grafana/{}:{}'.format(edition, tag) -def scan_docker_image_unkown_low_medium_vulnerabilities_step(edition): - tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu'] - commands=[] - for t in tags: - commands.append('trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/{}:{}'.format(edition,t)) + return cron_job_pipeline( + name='scan-' + dockerImage + '-image', + steps=[ + scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage), + scan_docker_image_high_critical_vulnerabilities_step(dockerImage), + slack_job_failed_step('grafana-backend-ops', dockerImage), + ]) + +def scan_docker_image_unkown_low_medium_vulnerabilities_step(dockerImage): return { - 'name': 'scan-docker-images-unkown-low-medium-vulnerabilities', - 'image': 'aquasec/trivy:0.18.3', - 'commands': commands, + 'name': 'scan-unkown-low-medium-vulnerabilities', + 'image': aquasec_trivy_image, + 'commands': [ + 'trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ' + dockerImage, + ], } -def scan_docker_image_high_critical_vulnerabilities_step(edition): - tags=['latest', 'main', 'latest-ubuntu', 'main-ubuntu'] - commands=[] - for t in tags: - commands.append('trivy --exit-code 1 --severity HIGH,CRITICAL grafana/{}:{}'.format(edition,t)) - +def scan_docker_image_high_critical_vulnerabilities_step(dockerImage): return { - 'name': 'scan-docker-images-high-critical-vulnerabilities', - 'image': 'aquasec/trivy:0.18.3', - 'commands': commands, + 'name': 'scan-high-critical-vulnerabilities', + 'image': aquasec_trivy_image, + 'commands': [ + 'trivy --exit-code 1 --severity HIGH,CRITICAL ' + dockerImage, + ], } -def slack_job_failed_step(channel): +def slack_job_failed_step(channel, image): return { 'name': 'slack-notify-failure', 'image': 'plugins/slack', 'settings': { 'webhook': from_secret('slack_webhook_backend'), 'channel': channel, - 'template': 'Nightly docker image scan job for {{repo.name}} failed: {{build.link}}', + 'template': 'Nightly docker image scan job for ' + image + ' failed: {{build.link}}', }, 'when': { 'status': 'failure'