Security: Authenticate to GCR for trivy scans (#72658)

* Authenticate to GCR for trivy scans # Conflicts: # .drone.yml * verify-starlark * Change secret # Conflicts: # .drone.yml
2025-07-29 09:52:35 +08:00 · 2023-08-28 14:52:08 +03:00
parent bd7523381e
commit e100fc927e
3 changed files with 161 additions and 1 deletions
--- a/scripts/drone/events/cron.star
+++ b/scripts/drone/events/cron.star
@ -24,6 +24,17 @@ def cronjobs():
        grafana_com_nightly_pipeline(),
    ]

+def authenticate_gcr_step():
+    return {
+        "name": "authenticate-gcr",
+        "image": "docker:dind",
+        "commands": ["echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io"],
+        "environment": {
+            "GCR_CREDENTIALS": from_secret("gcr_credentials"),
+        },
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
+    }
+
 def cron_job_pipeline(cronName, name, steps):
    return {
        "kind": "pipeline",
@ -41,6 +52,14 @@ def cron_job_pipeline(cronName, name, steps):
            "retries": 3,
        },
        "steps": steps,
+        "volumes": [
+            {
+                "name": "docker",
+                "host": {
+                    "path": "/var/run/docker.sock",
+                },
+            },
+        ],
    }

 def scan_docker_image_pipeline(tag):
@ -58,6 +77,7 @@ def scan_docker_image_pipeline(tag):
        cronName = "nightly",
        name = "scan-" + docker_image + "-image",
        steps = [
+            authenticate_gcr_step(),
            scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image),
            scan_docker_image_high_critical_vulnerabilities_step(docker_image),
            slack_job_failed_step("grafana-backend-ops", docker_image),
@ -75,6 +95,7 @@ def scan_build_test_publish_docker_image_pipeline():
        cronName = "nightly",
        name = "scan-build-test-and-publish-docker-images",
        steps = [
+            authenticate_gcr_step(),
            scan_docker_image_unknown_low_medium_vulnerabilities_step("all"),
            scan_docker_image_high_critical_vulnerabilities_step("all"),
            slack_job_failed_step("grafana-backend-ops", "build-images"),
@ -101,6 +122,8 @@ def scan_docker_image_unknown_low_medium_vulnerabilities_step(docker_image):
        "name": "scan-unknown-low-medium-vulnerabilities",
        "image": aquasec_trivy_image,
        "commands": cmds,
+        "depends_on": ["authenticate-gcr"],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
    }

 def scan_docker_image_high_critical_vulnerabilities_step(docker_image):
@ -123,6 +146,8 @@ def scan_docker_image_high_critical_vulnerabilities_step(docker_image):
        "name": "scan-high-critical-vulnerabilities",
        "image": aquasec_trivy_image,
        "commands": cmds,
+        "depends_on": ["authenticate-gcr"],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
    }

 def slack_job_failed_step(channel, image):
--- a/scripts/drone/vault.star
+++ b/scripts/drone/vault.star
@ -148,4 +148,9 @@ def secrets():
            "infra/data/ci/grafana-release-eng/grafana-delivery-bot",
            "app-private-key",
        ),
+        vault_secret(
+            "gcr_credentials",
+            "secret/data/common/gcr",
+            "service-account",
+        ),
    ]