From e2f228dd72b5408720371aab74509ee747e30fc7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 20 Mar 2026 13:57:25 +0000 Subject: [PATCH 01/10] Verify trivy installation --- .devcontainer/Dockerfile | 26 ++++- .devcontainer/devcontainer.json | 3 +- .github/workflows/build_all_images.yml | 1 + .github/workflows/build_multi_arch_image.yml | 7 +- .github/workflows/ci.yml | 4 +- .github/workflows/pull_request.yml | 6 +- .github/workflows/release.yml | 4 +- .gitignore | 1 + .tool-versions | 1 - Makefile | 7 +- package-lock.json | 8 +- package.json | 2 +- src/base/.devcontainer/.tool-versions | 1 - src/base/.devcontainer/Dockerfile | 18 +++ src/base/.devcontainer/Dockerfile.trivy.amd64 | 13 +++ src/base/.devcontainer/Dockerfile.trivy.arm64 | 13 +++ .../.devcontainer/scripts/install_cosign.sh | 109 ++++++++++++++++++ .../.devcontainer/scripts/install_trivy.sh | 62 ++++++++++ src/common/.trivyignore.yaml | 7 ++ .../eps-storage-terraform/.trivyignore.yaml | 5 + .../.devcontainer/.tool-versions | 2 +- .../.devcontainer/scripts/root_install.sh | 9 +- 22 files changed, 281 insertions(+), 28 deletions(-) create mode 100644 src/base/.devcontainer/Dockerfile.trivy.amd64 create mode 100644 src/base/.devcontainer/Dockerfile.trivy.arm64 create mode 100755 src/base/.devcontainer/scripts/install_cosign.sh create mode 100755 src/base/.devcontainer/scripts/install_trivy.sh diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 0e7ee62..9ef54e3 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,3 +1,20 @@ +FROM golang:1.26.1-bookworm AS build +ARG TARGETARCH +RUN apt-get update && apt-get install -y \ + jq \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh +COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh +RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +RUN case "${TARGETARCH}" in \ + x86_64|amd64) TRIVY_ARCH=64bit ;; \ + aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ + *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ + esac \ + && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh + + FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} @@ -64,11 +81,13 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ chmod 755 /usr/share/secrets-scanner && \ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt +COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy + USER vscode -ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" +ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" RUN \ - echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ + echo 'PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ echo '. <(asdf completion bash)' >> ~/.bashrc; \ echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \ @@ -83,8 +102,7 @@ RUN asdf plugin add python; \ asdf plugin add actionlint; \ asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \ - asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git - + asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; WORKDIR /workspaces/eps-devcontainers COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b08221a..645e5c2 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,8 @@ "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig,type=bind" ], "runArgs": [ "--network=host" diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 111abf8..fe3279a 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -33,6 +33,7 @@ jobs: echo "node_24_languages=$node_24_language_folders" echo "projects=$project_folders" } >> "$GITHUB_OUTPUT" + package_base_docker_image: uses: ./.github/workflows/build_multi_arch_image.yml with: diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index b9d5334..11c1857 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -64,9 +64,10 @@ jobs: with: fetch-depth: 0 - name: setup trivy - uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 - with: - version: v0.69.3 + run: | + docker build --output=/usr/local/bin/ -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . + env: + ARCH: '${{ matrix.arch }}' - name: setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f04c601..e154460 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711 needs: - get_asdf_version with: @@ -32,7 +32,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' tag_release: needs: [quality_checks, get_asdf_version] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@5ac2707dd9cd60ad127275179495b9c890d74711 with: dry_run: true asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9c5b128..e781f69 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,7 +9,7 @@ jobs: dependabot-auto-approve-and-merge: needs: quality_checks uses: >- - NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711 secrets: AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' @@ -32,7 +32,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711 needs: - get_asdf_version with: @@ -41,7 +41,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: uses: >- - NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711 get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 00fbc92..4d839d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ac2707dd9cd60ad127275179495b9c890d74711 needs: - get_asdf_version with: @@ -33,7 +33,7 @@ jobs: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' tag_release: needs: [quality_checks, get_asdf_version] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@3166a790ef94af847ffcafc6b9fbadbf4c56f6d0 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@5ac2707dd9cd60ad127275179495b9c890d74711 with: dry_run: false asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} diff --git a/.gitignore b/.gitignore index 35bc1fd..7c362b6 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ .envrc +.trivy_out/ diff --git a/.tool-versions b/.tool-versions index 1aed182..2500101 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,5 +5,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.69.3 yq 4.52.2 diff --git a/Makefile b/Makefile index 8b40ad8..f5767ed 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,9 @@ guard-%: exit 1; \ fi +.PHONY: install install-python install-node install-hooks build-base-image build-node-24-image build-node-24-python-3-10-image build-node-24-python-3-12-image build-node-24-python-3-13-image build-node-24-python-3-14-image \ + build-eps-storage-terraform-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \ + build-regression-tests-image build-all build-image build-githubactions-image scan-image scan-image-json shell-image lint test lint-githubactions lint-githubaction-scripts github-login clean install: install-python install-node install-hooks install-python: @@ -129,13 +132,9 @@ test: lint-githubactions: actionlint -github-login: - gh auth login --scopes read:packages - lint-githubaction-scripts: shellcheck .github/scripts/*.sh clean: rm -rf .out find . -type f -name '.trivyignore_combined.yaml' -delete - diff --git a/package-lock.json b/package-lock.json index 827a984..e8e1a35 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,13 +9,13 @@ "version": "1.0.0", "license": "ISC", "dependencies": { - "@devcontainers/cli": "^0.84.0" + "@devcontainers/cli": "^0.84.1" } }, "node_modules/@devcontainers/cli": { - "version": "0.84.0", - "resolved": "https://registry.npmjs.org/@devcontainers/cli/-/cli-0.84.0.tgz", - "integrity": "sha512-zAG9Kvj8qH6bAvReYTO5ZtDUHNr6OEsUqXxK1L1856XZN6c2RVV7aSAp/qIADGqqe0poqPr+ighFlvui2CH2LQ==", + "version": "0.84.1", + "resolved": "https://registry.npmjs.org/@devcontainers/cli/-/cli-0.84.1.tgz", + "integrity": "sha512-r+JR/4R8lznPQNwLyHPIzHJ1mj3p2l5lGyHeq2FetEfpe6s6BVLE9mFl7MxQI4wKNqfWCIO7DSokoCWRlzQSIg==", "license": "MIT", "bin": { "devcontainer": "devcontainer.js" diff --git a/package.json b/package.json index 44a8da5..43f5056 100644 --- a/package.json +++ b/package.json @@ -9,6 +9,6 @@ "license": "ISC", "description": "", "dependencies": { - "@devcontainers/cli": "^0.84.0" + "@devcontainers/cli": "^0.84.1" } } diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index bac5b7b..7aaf5f8 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,5 +2,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.11 ruby 3.3.0 -trivy 0.69.3 yq 4.52.4 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 1d39021..69d2bf8 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,3 +1,19 @@ +FROM golang:1.26.1-bookworm AS build +ARG TARGETARCH +RUN apt-get update && apt-get install -y \ + jq \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +COPY scripts/install_cosign.sh /tmp/install_cosign.sh +COPY scripts/install_trivy.sh /tmp/install_trivy.sh +RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +RUN case "${TARGETARCH}" in \ + x86_64|amd64) TRIVY_ARCH=64bit ;; \ + aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ + *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ + esac \ + && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh + FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG SCRIPTS_DIR=/usr/local/share/eps @@ -16,6 +32,8 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh +COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy + COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 new file mode 100644 index 0000000..169855e --- /dev/null +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -0,0 +1,13 @@ +FROM golang:1.26.1-bookworm AS build +RUN apt-get update && apt-get install -y \ + jq \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh +COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh +RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh + +FROM scratch +COPY --from=build /tmp/trivy/trivy / +ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 new file mode 100644 index 0000000..379dc5d --- /dev/null +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -0,0 +1,13 @@ +FROM golang:1.26.1-bookworm AS build +RUN apt-get update && apt-get install -y \ + jq \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +COPY scripts/install_cosign.sh /tmp/install_cosign.sh +COPY scripts/install_trivy.sh /tmp/install_trivy.sh +RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh + +FROM scratch +COPY --from=build /tmp/trivy/trivy / +ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/scripts/install_cosign.sh b/src/base/.devcontainer/scripts/install_cosign.sh new file mode 100755 index 0000000..d0d3d4f --- /dev/null +++ b/src/base/.devcontainer/scripts/install_cosign.sh @@ -0,0 +1,109 @@ +#!/usr/bin/env bash +set -euo pipefail + +DEFAULT_INSTALL_DIR="/usr/local/bin" +INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" +REQUESTED_VERSION="${1:-latest}" +OS="$(uname -s)" +ARCH="$(uname -m)" +API_URL="https://api.github.com/repos/sigstore/cosign/releases" + +usage() { + cat <<'EOF' +Usage: install_cosign.sh [version] + +Downloads the requested cosign release (default: latest) for Linux amd64, verifies +its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var). +EOF +} + +if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then + usage + exit 0 +fi + +if [[ "$OS" != "Linux" ]]; then + echo "Error: This installer currently supports Linux only" >&2 + exit 1 +fi + +case "$ARCH" in + x86_64|amd64) + BINARY_NAME="cosign-linux-amd64" + ;; + aarch64|arm64) + BINARY_NAME="cosign-linux-arm64" + ;; + *) + echo "Error: Unsupported architecture $ARCH" >&2 + exit 1 + ;; +esac + +for cmd in curl openssl install go jq; do + if ! command -v "$cmd" >/dev/null 2>&1; then + echo "Error: $cmd is required but not found in PATH" >&2 + exit 1 + fi +done + +get_latest_tag() { + local response + response="$(curl -fsSL "$API_URL/latest")" + awk -F'"' '/tag_name/ {print $4; exit}' <<<"$response" +} + +VERSION="$REQUESTED_VERSION" +if [[ "$VERSION" == "latest" ]]; then + VERSION="$(get_latest_tag)" +fi + +if [[ -z "$VERSION" ]]; then + echo "Error: Unable to determine cosign version" >&2 + exit 1 +fi + +BASE_URL="https://github.com/sigstore/cosign/releases/download/${VERSION}" +TMP_DIR="$(mktemp -d)" +trap 'rm -rf "$TMP_DIR"' EXIT + +download() { + local url="${1}" dest="${2}" + echo "Downloading ${dest} ..." + curl -fsSL "${url}" -o "${dest}" +} + +BIN_PATH="$TMP_DIR/${BINARY_NAME}" +SIGSTORE_PATH="$TMP_DIR/${BINARY_NAME}-kms.sigstore.json" +ARTIFACT_PATH="$TMP_DIR/artifact.pub" +DECODED_SIGSTORE_PATH="$TMP_DIR/cosign-kms.sig.decoded" + +download "${BASE_URL}/${BINARY_NAME}" "$BIN_PATH" +download "${BASE_URL}/${BINARY_NAME}-kms.sigstore.json" "$SIGSTORE_PATH" + +# install tuf-client +go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest + +# setup tuf-client +SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json" +curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json +tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH" + +tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH" + +cat "$SIGSTORE_PATH" | jq -r .messageSignature.signature | base64 -d > "$DECODED_SIGSTORE_PATH" +pushd "$TMP_DIR" >/dev/null +echo "verifying signature with artifact.pub" +openssl dgst -sha256 -verify "$ARTIFACT_PATH" -signature "$DECODED_SIGSTORE_PATH" "$BIN_PATH" +popd >/dev/null + +echo "verifying signature with cosign verify-blob" +chmod +x "$BIN_PATH" +${BIN_PATH} verify-blob --bundle "${SIGSTORE_PATH}" --key "$ARTIFACT_PATH" "$BIN_PATH" + +mkdir -p "$INSTALL_DIR" +install -m 0755 "$BIN_PATH" "${INSTALL_DIR}/cosign" + +"${INSTALL_DIR}/cosign" version + +echo "cosign ${VERSION} installed to ${INSTALL_DIR}" diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh new file mode 100755 index 0000000..9e0588e --- /dev/null +++ b/src/base/.devcontainer/scripts/install_trivy.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash +set -euo pipefail + +DEFAULT_INSTALL_DIR="/usr/local/bin" +INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" +VERSION="v0.69.3" +DEFAULT_ARCH="64bit" +ARCH="${ARCH:-$DEFAULT_ARCH}" +RELEASE_NUMBER="${VERSION#v}" +BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}" +ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz" +BUNDLE="${ARCHIVE}.sigstore.json" +CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}" + +usage() { + cat <<'EOF' +Usage: install_trivy.sh [output_dir] + +Downloads Trivy, its sigstore bundle, and checksum into output_dir (default: current directory), +then verifies the checksum and the sigstore bundle, following +https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md. +EOF +} + +if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then + usage + exit 0 +fi + +for cmd in curl cosign sha256sum; do + if ! command -v "$cmd" >/dev/null 2>&1; then + echo "Error: $cmd is required but not found in PATH" >&2 + exit 1 + fi +done + +TMP_DIR="$(mktemp -d)" +trap 'rm -rf "$TMP_DIR"' EXIT + +download() { + local url="${1}" dest="${2}" + echo "Downloading ${dest} ..." + curl -fsSL "${url}" -o "${dest}" +} +ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}" +BUNDLE_PATH="${TMP_DIR}/${BUNDLE}" +download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}" +download "${BASE_URL}/${BUNDLE}" "${BUNDLE_PATH}" + + +cosign verify-blob-attestation "${ARCHIVE_PATH}" \ + --bundle "${BUNDLE_PATH}" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + --certificate-identity "${CERT_IDENTITY}" + +echo "Sigstore verification passed" +tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}" + +mkdir -p "$INSTALL_DIR" +install -m 0755 "$TMP_DIR/trivy" "${INSTALL_DIR}/trivy" + +echo "trivy ${VERSION} installed to ${INSTALL_DIR}" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml index 6e434c8..2fa09b9 100644 --- a/src/common/.trivyignore.yaml +++ b/src/common/.trivyignore.yaml @@ -432,3 +432,10 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" expired_at: 2026-09-16 + - id: CVE-2026-33186 + statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" + purls: + - "pkg:golang/google.golang.org/grpc@v1.74.2" + - "pkg:golang/google.golang.org/grpc@v1.78.0" + - "pkg:golang/google.golang.org/grpc@v1.79.2" + expired_at: 2026-09-20 diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml index 79605cd..6fa00f4 100644 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ b/src/projects/eps-storage-terraform/.trivyignore.yaml @@ -110,3 +110,8 @@ vulnerabilities: purls: - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" expired_at: 2026-09-10 + - id: CVE-2026-33186 + statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" + purls: + - "pkg:golang/google.golang.org/grpc@v1.69.4" + expired_at: 2026-09-20 diff --git a/src/projects/regression_tests/.devcontainer/.tool-versions b/src/projects/regression_tests/.devcontainer/.tool-versions index edb8359..0cf1997 100644 --- a/src/projects/regression_tests/.devcontainer/.tool-versions +++ b/src/projects/regression_tests/.devcontainer/.tool-versions @@ -1 +1 @@ -allure 2.37.0 +allure 2.38.0 diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh index 474c45b..97d3b80 100755 --- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh +++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh @@ -1,6 +1,13 @@ #!/usr/bin/env bash -set -e +set -euo pipefail + +# install chrome +mkdir -p /etc/apt/keyrings +wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null +sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list' +apt-get update +apt-get install -y google-chrome-stable # clean up apt-get clean From ddbe3118f580eccea6242a86f1116150ea3bddb9 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 21 Mar 2026 12:07:32 +0000 Subject: [PATCH 02/10] update script location --- src/base/.devcontainer/Dockerfile.trivy.arm64 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 379dc5d..4c78e6c 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -3,8 +3,8 @@ RUN apt-get update && apt-get install -y \ jq \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -COPY scripts/install_cosign.sh /tmp/install_cosign.sh -COPY scripts/install_trivy.sh /tmp/install_trivy.sh +COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh +COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh From fa65932ac7b8bd6a9ff014e0ca3b5bd5a76cd111 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sat, 21 Mar 2026 12:11:22 +0000 Subject: [PATCH 03/10] copilot suggestions --- .devcontainer/Dockerfile | 1 - src/base/.devcontainer/scripts/install_cosign.sh | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 9ef54e3..2a74db1 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -101,7 +101,6 @@ RUN asdf plugin add python; \ asdf plugin add direnv; \ asdf plugin add actionlint; \ asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \ - asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \ asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; WORKDIR /workspaces/eps-devcontainers diff --git a/src/base/.devcontainer/scripts/install_cosign.sh b/src/base/.devcontainer/scripts/install_cosign.sh index d0d3d4f..6fe7be1 100755 --- a/src/base/.devcontainer/scripts/install_cosign.sh +++ b/src/base/.devcontainer/scripts/install_cosign.sh @@ -12,7 +12,7 @@ usage() { cat <<'EOF' Usage: install_cosign.sh [version] -Downloads the requested cosign release (default: latest) for Linux amd64, verifies +Downloads the requested cosign release (default: latest) for Linux amd64 and arm64, verifies its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var). EOF } @@ -86,7 +86,7 @@ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest # setup tuf-client SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json" -curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json +curl -fsSL https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json -o "$SIGSTORE_ROOT_PATH" tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH" tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH" From 890ce6ce173145c8f33e4d8aebfd245b19056467 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 15:41:23 +0000 Subject: [PATCH 04/10] install trivy from arch --- Makefile | 2 +- src/base/.devcontainer/Dockerfile | 9 +- src/base/.devcontainer/Dockerfile.trivy.amd64 | 12 +- src/base/.devcontainer/Dockerfile.trivy.arm64 | 12 +- .../.devcontainer/scripts/install_cosign.sh | 109 ------------------ 5 files changed, 11 insertions(+), 133 deletions(-) delete mode 100755 src/base/.devcontainer/scripts/install_cosign.sh diff --git a/Makefile b/Makefile index f5767ed..697df53 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ guard-%: .PHONY: install install-python install-node install-hooks build-base-image build-node-24-image build-node-24-python-3-10-image build-node-24-python-3-12-image build-node-24-python-3-13-image build-node-24-python-3-14-image \ build-eps-storage-terraform-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \ - build-regression-tests-image build-all build-image build-githubactions-image scan-image scan-image-json shell-image lint test lint-githubactions lint-githubaction-scripts github-login clean + build-regression-tests-image build-all build-image build-githubactions-image scan-image scan-image-json shell-image lint test lint-githubactions lint-githubaction-scripts clean install: install-python install-node install-hooks install-python: diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 69d2bf8..7304011 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,12 +1,7 @@ -FROM golang:1.26.1-bookworm AS build +FROM archlinux:latest AS build ARG TARGETARCH -RUN apt-get update && apt-get install -y \ - jq \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -COPY scripts/install_cosign.sh /tmp/install_cosign.sh +RUN pacman -Sy --noconfirm cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh RUN case "${TARGETARCH}" in \ x86_64|amd64) TRIVY_ARCH=64bit ;; \ aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 index 169855e..e1c6abe 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -1,11 +1,7 @@ -FROM golang:1.26.1-bookworm AS build -RUN apt-get update && apt-get install -y \ - jq \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +FROM archlinux:latest AS build +ARG TARGETARCH +RUN pacman -Sy --noconfirm cosign bash curl jq +COPY scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh FROM scratch diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 4c78e6c..8862615 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -1,11 +1,7 @@ -FROM golang:1.26.1-bookworm AS build -RUN apt-get update && apt-get install -y \ - jq \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh +FROM archlinux:latest AS build +ARG TARGETARCH +RUN pacman -Sy --noconfirm cosign bash curl jq +COPY scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh FROM scratch diff --git a/src/base/.devcontainer/scripts/install_cosign.sh b/src/base/.devcontainer/scripts/install_cosign.sh deleted file mode 100755 index 6fe7be1..0000000 --- a/src/base/.devcontainer/scripts/install_cosign.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -DEFAULT_INSTALL_DIR="/usr/local/bin" -INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" -REQUESTED_VERSION="${1:-latest}" -OS="$(uname -s)" -ARCH="$(uname -m)" -API_URL="https://api.github.com/repos/sigstore/cosign/releases" - -usage() { - cat <<'EOF' -Usage: install_cosign.sh [version] - -Downloads the requested cosign release (default: latest) for Linux amd64 and arm64, verifies -its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var). -EOF -} - -if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then - usage - exit 0 -fi - -if [[ "$OS" != "Linux" ]]; then - echo "Error: This installer currently supports Linux only" >&2 - exit 1 -fi - -case "$ARCH" in - x86_64|amd64) - BINARY_NAME="cosign-linux-amd64" - ;; - aarch64|arm64) - BINARY_NAME="cosign-linux-arm64" - ;; - *) - echo "Error: Unsupported architecture $ARCH" >&2 - exit 1 - ;; -esac - -for cmd in curl openssl install go jq; do - if ! command -v "$cmd" >/dev/null 2>&1; then - echo "Error: $cmd is required but not found in PATH" >&2 - exit 1 - fi -done - -get_latest_tag() { - local response - response="$(curl -fsSL "$API_URL/latest")" - awk -F'"' '/tag_name/ {print $4; exit}' <<<"$response" -} - -VERSION="$REQUESTED_VERSION" -if [[ "$VERSION" == "latest" ]]; then - VERSION="$(get_latest_tag)" -fi - -if [[ -z "$VERSION" ]]; then - echo "Error: Unable to determine cosign version" >&2 - exit 1 -fi - -BASE_URL="https://github.com/sigstore/cosign/releases/download/${VERSION}" -TMP_DIR="$(mktemp -d)" -trap 'rm -rf "$TMP_DIR"' EXIT - -download() { - local url="${1}" dest="${2}" - echo "Downloading ${dest} ..." - curl -fsSL "${url}" -o "${dest}" -} - -BIN_PATH="$TMP_DIR/${BINARY_NAME}" -SIGSTORE_PATH="$TMP_DIR/${BINARY_NAME}-kms.sigstore.json" -ARTIFACT_PATH="$TMP_DIR/artifact.pub" -DECODED_SIGSTORE_PATH="$TMP_DIR/cosign-kms.sig.decoded" - -download "${BASE_URL}/${BINARY_NAME}" "$BIN_PATH" -download "${BASE_URL}/${BINARY_NAME}-kms.sigstore.json" "$SIGSTORE_PATH" - -# install tuf-client -go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest - -# setup tuf-client -SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json" -curl -fsSL https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json -o "$SIGSTORE_ROOT_PATH" -tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH" - -tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH" - -cat "$SIGSTORE_PATH" | jq -r .messageSignature.signature | base64 -d > "$DECODED_SIGSTORE_PATH" -pushd "$TMP_DIR" >/dev/null -echo "verifying signature with artifact.pub" -openssl dgst -sha256 -verify "$ARTIFACT_PATH" -signature "$DECODED_SIGSTORE_PATH" "$BIN_PATH" -popd >/dev/null - -echo "verifying signature with cosign verify-blob" -chmod +x "$BIN_PATH" -${BIN_PATH} verify-blob --bundle "${SIGSTORE_PATH}" --key "$ARTIFACT_PATH" "$BIN_PATH" - -mkdir -p "$INSTALL_DIR" -install -m 0755 "$BIN_PATH" "${INSTALL_DIR}/cosign" - -"${INSTALL_DIR}/cosign" version - -echo "cosign ${VERSION} installed to ${INSTALL_DIR}" From 906f8a08ad80a87755b952a3196fb3d55710bb92 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 15:44:00 +0000 Subject: [PATCH 05/10] use date for dockerfile --- src/base/.devcontainer/Dockerfile | 2 +- src/base/.devcontainer/Dockerfile.trivy.amd64 | 2 +- src/base/.devcontainer/Dockerfile.trivy.arm64 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 7304011..da436a8 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM archlinux:latest AS build +FROM archlinux:base-20260315.0.500537 AS build ARG TARGETARCH RUN pacman -Sy --noconfirm cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 index e1c6abe..5dcbe0e 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -1,4 +1,4 @@ -FROM archlinux:latest AS build +FROM archlinux:base-20260315.0.500537 AS build ARG TARGETARCH RUN pacman -Sy --noconfirm cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 8862615..98e4681 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -1,4 +1,4 @@ -FROM archlinux:latest AS build +FROM archlinux:base-20260315.0.500537 AS build ARG TARGETARCH RUN pacman -Sy --noconfirm cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh From 3a69e97eaf75fad86f0ee20d4b18660a9ddcedc0 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 15:48:48 +0000 Subject: [PATCH 06/10] use alpine --- src/base/.devcontainer/Dockerfile | 4 ++-- src/base/.devcontainer/Dockerfile.trivy.amd64 | 4 ++-- src/base/.devcontainer/Dockerfile.trivy.arm64 | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index da436a8..b67f52f 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,6 +1,6 @@ -FROM archlinux:base-20260315.0.500537 AS build +FROM alpine:3.23.3 AS build ARG TARGETARCH -RUN pacman -Sy --noconfirm cosign bash curl jq +RUN apk add --no-cache cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh RUN case "${TARGETARCH}" in \ x86_64|amd64) TRIVY_ARCH=64bit ;; \ diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 index 5dcbe0e..9e3f19c 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -1,6 +1,6 @@ -FROM archlinux:base-20260315.0.500537 AS build +FROM alpine:3.23.3 AS build ARG TARGETARCH -RUN pacman -Sy --noconfirm cosign bash curl jq +RUN apk add --no-cache cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 98e4681..27ad8da 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -1,6 +1,6 @@ -FROM archlinux:base-20260315.0.500537 AS build +FROM alpine:3.23.3 AS build ARG TARGETARCH -RUN pacman -Sy --noconfirm cosign bash curl jq +RUN apk add --no-cache cosign bash curl jq COPY scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh From 3f0575bd9ca4e2c4490ed6318f519fc9323412c2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 16:27:23 +0000 Subject: [PATCH 07/10] fix path --- src/base/.devcontainer/Dockerfile.trivy.amd64 | 2 +- src/base/.devcontainer/Dockerfile.trivy.arm64 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 index 9e3f19c..bdf0718 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -1,7 +1,7 @@ FROM alpine:3.23.3 AS build ARG TARGETARCH RUN apk add --no-cache cosign bash curl jq -COPY scripts/install_trivy.sh /tmp/install_trivy.sh +COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh FROM scratch diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 27ad8da..1fd93ef 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -1,7 +1,7 @@ FROM alpine:3.23.3 AS build ARG TARGETARCH RUN apk add --no-cache cosign bash curl jq -COPY scripts/install_trivy.sh /tmp/install_trivy.sh +COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh FROM scratch From 6af21f1649b4a9b331def2154dffd836c61d0b3c Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 17:38:25 +0000 Subject: [PATCH 08/10] fix local dockerfile --- .devcontainer/Dockerfile | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 2a74db1..345a5a0 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,12 +1,7 @@ -FROM golang:1.26.1-bookworm AS build +FROM alpine:3.23.3 AS build ARG TARGETARCH -RUN apt-get update && apt-get install -y \ - jq \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh +RUN apk add --no-cache cosign bash curl jq COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh RUN case "${TARGETARCH}" in \ x86_64|amd64) TRIVY_ARCH=64bit ;; \ aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ From b471edb14d462b28a6bcfdf3c1dc469c4c1ea85e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Sun, 22 Mar 2026 17:42:33 +0000 Subject: [PATCH 09/10] update copilot --- src/base/.devcontainer/scripts/install_trivy.sh | 16 +++++++++++----- .../.devcontainer/scripts/root_install.sh | 2 +- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh index 9e0588e..5d6c7c4 100755 --- a/src/base/.devcontainer/scripts/install_trivy.sh +++ b/src/base/.devcontainer/scripts/install_trivy.sh @@ -14,11 +14,17 @@ CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable- usage() { cat <<'EOF' -Usage: install_trivy.sh [output_dir] +Usage: install_trivy.sh -Downloads Trivy, its sigstore bundle, and checksum into output_dir (default: current directory), -then verifies the checksum and the sigstore bundle, following -https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md. +Downloads the Trivy archive and its sigstore bundle to a temporary directory, +verifies the sigstore bundle following +https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md, +and installs the trivy binary into INSTALL_DIR (default: /usr/local/bin). + +Environment variables: + INSTALL_DIR Directory to install the trivy binary into (default: /usr/local/bin) + VERSION Trivy version tag to install (default: v0.69.3) + ARCH Architecture suffix used in the download (default: 64bit) EOF } @@ -27,7 +33,7 @@ if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then exit 0 fi -for cmd in curl cosign sha256sum; do +for cmd in curl cosign; do if ! command -v "$cmd" >/dev/null 2>&1; then echo "Error: $cmd is required but not found in PATH" >&2 exit 1 diff --git a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh index 97d3b80..1795cbe 100755 --- a/src/projects/regression_tests/.devcontainer/scripts/root_install.sh +++ b/src/projects/regression_tests/.devcontainer/scripts/root_install.sh @@ -4,7 +4,7 @@ set -euo pipefail # install chrome mkdir -p /etc/apt/keyrings -wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/keyrings/google.asc >/dev/null +wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | tee /etc/apt/keyrings/google.asc >/dev/null sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google.asc] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list' apt-get update apt-get install -y google-chrome-stable From 1a644258b6868e8b72cfa7603499e2b64eac973a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 23 Mar 2026 07:29:08 +0000 Subject: [PATCH 10/10] more comments --- .github/workflows/build_multi_arch_image.yml | 4 +++- src/base/.devcontainer/Dockerfile | 2 +- src/base/.devcontainer/Dockerfile.trivy.amd64 | 3 +-- src/base/.devcontainer/Dockerfile.trivy.arm64 | 3 +-- src/base/.devcontainer/scripts/install_trivy.sh | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 11c1857..c3d5862 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -65,7 +65,9 @@ jobs: fetch-depth: 0 - name: setup trivy run: | - docker build --output=/usr/local/bin/ -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . + mkdir -p "$RUNNER_TEMP/bin" + docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . + echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" env: ARCH: '${{ matrix.arch }}' - name: setup node diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index b67f52f..0ccee69 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.23.3 AS build ARG TARGETARCH RUN apk add --no-cache cosign bash curl jq -COPY scripts/install_trivy.sh /tmp/install_trivy.sh +COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh RUN case "${TARGETARCH}" in \ x86_64|amd64) TRIVY_ARCH=64bit ;; \ aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 index bdf0718..4a719ad 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ b/src/base/.devcontainer/Dockerfile.trivy.amd64 @@ -1,7 +1,6 @@ FROM alpine:3.23.3 AS build -ARG TARGETARCH RUN apk add --no-cache cosign bash curl jq -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh +COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh FROM scratch diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 index 1fd93ef..899ea76 100644 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ b/src/base/.devcontainer/Dockerfile.trivy.arm64 @@ -1,7 +1,6 @@ FROM alpine:3.23.3 AS build -ARG TARGETARCH RUN apk add --no-cache cosign bash curl jq -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh +COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh FROM scratch diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh index 5d6c7c4..c49ab97 100755 --- a/src/base/.devcontainer/scripts/install_trivy.sh +++ b/src/base/.devcontainer/scripts/install_trivy.sh @@ -3,7 +3,7 @@ set -euo pipefail DEFAULT_INSTALL_DIR="/usr/local/bin" INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" -VERSION="v0.69.3" +VERSION="${VERSION:-v0.69.3}" DEFAULT_ARCH="64bit" ARCH="${ARCH:-$DEFAULT_ARCH}" RELEASE_NUMBER="${VERSION#v}"