Docker: Fix nightly vulnerability scan (#25083)

* Run each trivy scan as a separate step * Fail build only on high and critical vulnerability * Remove temporary job to use nightly schedule only

Docker: Fix nightly vulnerability scan (#25083)
* Run each trivy scan as a separate step * Fail build only on high and critical vulnerability * Remove temporary job to use nightly schedule only
374fbdf9 · Marcus Efraimsson · GitHub · 7bf5b395 · 374fbdf9
Commit 374fbdf9 authored May 25, 2020 by Marcus Efraimsson Committed by GitHub May 25, 2020
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 24 deletions

.circleci/config.yml
+16 -24

No files found.
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -972,7 +972,13 @@ jobs:
          command: "./scripts/ci-job-succeeded.sh"
          when: on_success

-  scan-docker-images:
+  scan-docker-image:
+    description: "Scans a docker image for vulnerabilities using trivy"
+    parameters:
+      image:
+        type: string
+      tag:
+        type: string
    docker:
      - image: circleci/buildpack-deps:stretch
    steps:
@@ -995,29 +1001,11 @@ jobs:
          name: Clear trivy cache
          command: trivy --clear-cache
      - run:
-          name: Scan grafana/grafana:master
-          command: trivy --exit-code 1 grafana/grafana:master
-      - run:
-          name: Scan grafana/grafana:master-ubuntu
-          command: trivy --exit-code 1 grafana/grafana:master-ubuntu
-      - run:
-          name: Scan grafana/grafana-enterprise:master
-          command: trivy --exit-code 1 grafana/grafana-enterprise:master
+          name: Scan Docker image for unkown/low/medium vulnerabilities
+          command: trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM << parameters.image >>:<< parameters.tag >>
      - run:
-          name: Scan grafana/grafana-enterprise:master-ubuntu
-          command: trivy --exit-code 1 grafana/grafana-enterprise:master-ubuntu
-      - run:
-          name: Scan grafana/grafana:latest
-          command: trivy --exit-code 1 grafana/grafana:latest
-      - run:
-          name: Scan grafana/grafana:latest-ubuntu
-          command: trivy --exit-code 1 grafana/grafana:latest-ubuntu
-      - run:
-          name: Scan grafana/grafana-enterprise:latest
-          command: trivy --exit-code 1 grafana/grafana-enterprise:latest
-      - run:
-          name: Scan grafana/grafana-enterprise:latest-ubuntu
-          command: trivy --exit-code 1 grafana/grafana-enterprise:latest-ubuntu
+          name: Scan Docker image for high/critical vulnerabilities
+          command: trivy --exit-code 1 --severity HIGH,CRITICAL << parameters.image >>:<< parameters.tag >>
      - save_cache:
          key: vulnerability-db
          paths:
@@ -1343,4 +1331,8 @@ workflows:
          cron: "0 0 * * *"
          filters: *filter-only-master
    jobs:
-      - scan-docker-images
+      - scan-docker-image:
+          matrix:
+            parameters:
+              image: [grafana/grafana, grafana/grafana-enterprise]
+              tag: [latest, master, latest-ubuntu, master-ubuntu]