diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index a0c546f..10ee80c 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -63,13 +63,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 - - name: setup trivy - run: | - mkdir -p "$RUNNER_TEMP/bin" - docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . - echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" - env: - ARCH: '${{ matrix.arch }}' + # - name: setup trivy + # run: | + # mkdir -p "$RUNNER_TEMP/bin" + # docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . + # echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" + # env: + # ARCH: '${{ matrix.arch }}' - name: setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: @@ -101,30 +101,30 @@ jobs: IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" EXIT_CODE: 0 EXTRA_COMMON: "${{ inputs.extra_common }}" - - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - name: Upload scan results - with: - name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" - path: .out/scan_results_docker.json - - name: Check docker vulnerabilities - table output - run: | - make scan-image - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - BASE_FOLDER: "${{ inputs.base_folder }}" - IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - EXIT_CODE: "1" - EXTRA_COMMON: "${{ inputs.extra_common }}" - - name: Show docker vulnerability output - if: always() - run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f .out/scan_results_docker.txt ]; then - cat .out/scan_results_docker.txt - fi - env: - ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' + # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + # name: Upload scan results + # with: + # name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" + # path: .out/scan_results_docker.json + # - name: Check docker vulnerabilities - table output + # run: | + # make scan-image + # env: + # CONTAINER_NAME: '${{ inputs.container_name }}' + # BASE_FOLDER: "${{ inputs.base_folder }}" + # IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" + # EXIT_CODE: "1" + # EXTRA_COMMON: "${{ inputs.extra_common }}" + # - name: Show docker vulnerability output + # if: always() + # run: | + # echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" + # if [ -f .out/scan_results_docker.txt ]; then + # cat .out/scan_results_docker.txt + # fi + # env: + # ARCHITECTURE: '${{ matrix.arch }}' + # DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image and rebuild for github actions run: | echo "Pushing image..." diff --git a/Makefile b/Makefile index 9e1ead3..08da340 100644 --- a/Makefile +++ b/Makefile @@ -81,42 +81,44 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG . scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER - mkdir -p .out - @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ - common="src/common/.trivyignore.yaml"; \ - extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ - specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ - exit_code="$${EXIT_CODE:-1}"; \ - echo "vulnerabilities:" > "$$combined"; \ - if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ - trivy image \ - --severity HIGH,CRITICAL \ - --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ - --scanners vuln \ - --exit-code $$exit_code \ - --format table \ - --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" + echo "Not implemented" +# mkdir -p .out +# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ +# common="src/common/.trivyignore.yaml"; \ +# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ +# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ +# exit_code="$${EXIT_CODE:-1}"; \ +# echo "vulnerabilities:" > "$$combined"; \ +# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ +# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ +# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ +# trivy image \ +# --severity HIGH,CRITICAL \ +# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ +# --scanners vuln \ +# --exit-code $$exit_code \ +# --format table \ +# --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG - mkdir -p .out - @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ - common="src/common/.trivyignore.yaml"; \ - extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ - specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ - exit_code="$${EXIT_CODE:-1}"; \ - echo "vulnerabilities:" > "$$combined"; \ - if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ - if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ - if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ - trivy image \ - --severity HIGH,CRITICAL \ - --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ - --scanners vuln \ - --exit-code "$$exit_code" \ - --format json \ - --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" + echo "Not implemented" +# mkdir -p .out +# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ +# common="src/common/.trivyignore.yaml"; \ +# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ +# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ +# exit_code="$${EXIT_CODE:-1}"; \ +# echo "vulnerabilities:" > "$$combined"; \ +# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ +# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ +# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ +# trivy image \ +# --severity HIGH,CRITICAL \ +# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ +# --scanners vuln \ +# --exit-code "$$exit_code" \ +# --format json \ +# --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 0ccee69..8b1f4fd 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,13 +1,13 @@ -FROM alpine:3.23.3 AS build -ARG TARGETARCH -RUN apk add --no-cache cosign bash curl jq -COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh -RUN case "${TARGETARCH}" in \ - x86_64|amd64) TRIVY_ARCH=64bit ;; \ - aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ - *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ - esac \ - && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh +# FROM alpine:3.23.3 AS build +# ARG TARGETARCH +# RUN apk add --no-cache cosign bash curl jq +# COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh +# RUN case "${TARGETARCH}" in \ +# x86_64|amd64) TRIVY_ARCH=64bit ;; \ +# aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ +# *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ +# esac \ +# && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 @@ -27,7 +27,7 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh -COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy +# COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk index 6d323a2..cee440c 100644 --- a/src/base/.devcontainer/Mk/trivy.mk +++ b/src/base/.devcontainer/Mk/trivy.mk @@ -1,91 +1,98 @@ .PHONY: trivy-license-check trivy-generate-sbom trivy-scan-python trivy-scan-node trivy-scan-go trivy-scan-java trivy-license-check: - mkdir -p .trivy_out/ - @if [ -f poetry.lock ]; then \ - poetry self add poetry-plugin-export; \ - poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \ - fi - @if [ -f src/go.sum ]; then \ - cd src && go mod vendor; \ - fi - VIRTUAL_ENV=./.venv/ trivy fs . \ - --scanners license \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --pkg-types library \ - --exit-code 1 \ - --output .trivy_out/license_scan.txt \ - --format table - @if [ -f poetry.lock ]; then rm -f requirements.txt; fi - @if [ -f src/go.sum ]; then rm -rf src/vendor; fi + echo "Not implemented" +# mkdir -p .trivy_out/ +# @if [ -f poetry.lock ]; then \ +# poetry self add poetry-plugin-export; \ +# poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \ +# fi +# @if [ -f src/go.sum ]; then \ +# cd src && go mod vendor; \ +# fi +# VIRTUAL_ENV=./.venv/ trivy fs . \ +# --scanners license \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --pkg-types library \ +# --exit-code 1 \ +# --output .trivy_out/license_scan.txt \ +# --format table +# @if [ -f poetry.lock ]; then rm -f requirements.txt; fi +# @if [ -f src/go.sum ]; then rm -rf src/vendor; fi trivy-generate-sbom: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 0 \ - --output .trivy_out/sbom.cdx.json \ - --format cyclonedx + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy fs . \ +# --scanners vuln \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --exit-code 0 \ +# --output .trivy_out/sbom.cdx.json \ +# --format cyclonedx trivy-scan-python: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \ - --output .trivy_out/dependency_results_python.txt \ - --format table + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy fs . \ +# --scanners vuln \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --exit-code 1 \ +# --skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \ +# --output .trivy_out/dependency_results_python.txt \ +# --format table trivy-scan-node: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \ - --output .trivy_out/dependency_results_node.txt \ - --format table + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy fs . \ +# --scanners vuln \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --exit-code 1 \ +# --skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \ +# --output .trivy_out/dependency_results_node.txt \ +# --format table trivy-scan-go: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \ - --output .trivy_out/dependency_results_go.txt \ - --format table + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy fs . \ +# --scanners vuln \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --exit-code 1 \ +# --skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \ +# --output .trivy_out/dependency_results_go.txt \ +# --format table trivy-scan-java: - mkdir -p .trivy_out/ - trivy fs . \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --include-dev-deps \ - --exit-code 1 \ - --skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \ - --output .trivy_out/dependency_results_java.txt \ - --format table + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy fs . \ +# --scanners vuln \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --include-dev-deps \ +# --exit-code 1 \ +# --skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \ +# --output .trivy_out/dependency_results_java.txt \ +# --format table trivy-scan-docker: guard-DOCKER_IMAGE - mkdir -p .trivy_out/ - trivy image $${DOCKER_IMAGE} \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --config trivy.yaml \ - --exit-code 1 \ - --pkg-types os,library \ - --output .trivy_out/dependency_results_docker.txt \ - --format table + echo "Not implemented" +# mkdir -p .trivy_out/ +# trivy image $${DOCKER_IMAGE} \ +# --scanners vuln \ +# --severity HIGH,CRITICAL \ +# --config trivy.yaml \ +# --exit-code 1 \ +# --pkg-types os,library \ +# --output .trivy_out/dependency_results_docker.txt \ +# --format table