Chore: [AEA-0000] - remove trivy

.github/workflows/build_multi_arch_image.yml

@@ -63,13 +63,13 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
-      - name: setup trivy
-        run: |
-          mkdir -p "$RUNNER_TEMP/bin"
-          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" .
-          echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
-        env:
-          ARCH: '${{ matrix.arch }}'
+      # - name: setup trivy
+      #   run: |
+      #     mkdir -p "$RUNNER_TEMP/bin"
+      #     docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" .
+      #     echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
+      #  env:
+      #    ARCH: '${{ matrix.arch }}'
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
@@ -101,30 +101,30 @@ jobs:
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
           EXIT_CODE: 0
           EXTRA_COMMON: "${{ inputs.extra_common }}"
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-        name: Upload scan results
-        with:
-          name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
-          path: .out/scan_results_docker.json
-      - name: Check docker vulnerabilities - table output
-        run: |
-          make scan-image
-        env:
-          CONTAINER_NAME: '${{ inputs.container_name }}'
-          BASE_FOLDER: "${{ inputs.base_folder }}"
-          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          EXIT_CODE: "1"
-          EXTRA_COMMON: "${{ inputs.extra_common }}"
-      - name: Show docker vulnerability output
-        if: always()
-        run: |
-          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
-          if [ -f .out/scan_results_docker.txt ]; then
-            cat .out/scan_results_docker.txt
-          fi
-        env:
-          ARCHITECTURE: '${{ matrix.arch }}'
-          DOCKER_TAG: '${{ inputs.docker_tag }}'
+      # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+      #   name: Upload scan results
+      #   with:
+      #     name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
+      #     path: .out/scan_results_docker.json
+      # - name: Check docker vulnerabilities - table output
+      #   run: |
+      #     make scan-image
+      #   env:
+      #     CONTAINER_NAME: '${{ inputs.container_name }}'
+      #     BASE_FOLDER: "${{ inputs.base_folder }}"
+      #     IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
+      #     EXIT_CODE: "1"
+      #     EXTRA_COMMON: "${{ inputs.extra_common }}"
+      # - name: Show docker vulnerability output
+      #   if: always()
+      #   run: |
+      #     echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
+      #     if [ -f .out/scan_results_docker.txt ]; then
+      #       cat .out/scan_results_docker.txt
+      #     fi
+      #   env:
+      #     ARCHITECTURE: '${{ matrix.arch }}'
+      #     DOCKER_TAG: '${{ inputs.docker_tag }}'
       - name: Push tagged image and rebuild for github actions
         run: |
           echo "Pushing image..."

Makefile

@@ -81,42 +81,44 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG
 		.
 
 scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
-	mkdir -p .out
-	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
-	common="src/common/.trivyignore.yaml"; \
-	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
-	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
-	exit_code="$${EXIT_CODE:-1}"; \
-	echo "vulnerabilities:" > "$$combined"; \
-	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
-	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
-	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
-	trivy image \
-		--severity HIGH,CRITICAL \
-		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
-		--scanners vuln \
-		--exit-code $$exit_code \
-		--format table \
-		--output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
+	echo "Not implemented"
+# 	mkdir -p .out
+# 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
+# 	common="src/common/.trivyignore.yaml"; \
+# 	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
+# 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
+# 	exit_code="$${EXIT_CODE:-1}"; \
+# 	echo "vulnerabilities:" > "$$combined"; \
+# 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
+# 	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
+# 	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
+# 	trivy image \
+# 		--severity HIGH,CRITICAL \
+# 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
+# 		--scanners vuln \
+# 		--exit-code $$exit_code \
+# 		--format table \
+# 		--output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
 scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
-	mkdir -p .out
-	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
-	common="src/common/.trivyignore.yaml"; \
-	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
-	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
-	exit_code="$${EXIT_CODE:-1}"; \
-	echo "vulnerabilities:" > "$$combined"; \
-	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
-	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
-	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
-	trivy image \
-		--severity HIGH,CRITICAL \
-		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
-		--scanners vuln \
-		--exit-code "$$exit_code" \
-		--format json \
-		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
+	echo "Not implemented"
+# 	mkdir -p .out
+# 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
+# 	common="src/common/.trivyignore.yaml"; \
+# 	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
+# 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
+# 	exit_code="$${EXIT_CODE:-1}"; \
+# 	echo "vulnerabilities:" > "$$combined"; \
+# 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
+# 	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
+# 	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
+# 	trivy image \
+# 		--severity HIGH,CRITICAL \
+# 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
+# 		--scanners vuln \
+# 		--exit-code "$$exit_code" \
+# 		--format json \
+# 		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
 shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
 	docker run -it \

src/base/.devcontainer/Dockerfile

@@ -1,13 +1,13 @@
-FROM alpine:3.23.3 AS build
-ARG TARGETARCH
-RUN apk add --no-cache cosign bash curl jq
-COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh
-RUN case "${TARGETARCH}" in \
-        x86_64|amd64) TRIVY_ARCH=64bit ;; \
-        aarch64|arm64) TRIVY_ARCH=ARM64 ;; \
-        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
-    esac \
-    && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh
+# FROM alpine:3.23.3 AS build
+# ARG TARGETARCH
+# RUN apk add --no-cache cosign bash curl jq
+# COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh
+# RUN case "${TARGETARCH}" in \
+#         x86_64|amd64) TRIVY_ARCH=64bit ;; \
+#         aarch64|arm64) TRIVY_ARCH=ARM64 ;; \
+#         *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+#     esac \
+#     && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh
 
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
@@ -27,7 +27,7 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
-COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy
+# COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy
 
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode

src/base/.devcontainer/Mk/trivy.mk

@@ -1,91 +1,98 @@
 .PHONY: trivy-license-check trivy-generate-sbom trivy-scan-python trivy-scan-node trivy-scan-go trivy-scan-java
 
 trivy-license-check:
-	mkdir -p .trivy_out/
-	@if [ -f poetry.lock ]; then \
-		poetry self add poetry-plugin-export; \
-		poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \
-	fi
-	@if [ -f src/go.sum ]; then \
-		cd src && go mod vendor; \
-	fi
-	VIRTUAL_ENV=./.venv/ trivy fs . \
-		--scanners license \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--pkg-types library \
-		--exit-code 1 \
-		--output .trivy_out/license_scan.txt \
-		--format table
-	@if [ -f poetry.lock ]; then rm -f requirements.txt; fi
-	@if [ -f src/go.sum ]; then rm -rf src/vendor; fi
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	@if [ -f poetry.lock ]; then \
+# 		poetry self add poetry-plugin-export; \
+# 		poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \
+# 	fi
+# 	@if [ -f src/go.sum ]; then \
+# 		cd src && go mod vendor; \
+# 	fi
+# 	VIRTUAL_ENV=./.venv/ trivy fs . \
+# 		--scanners license \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--pkg-types library \
+# 		--exit-code 1 \
+# 		--output .trivy_out/license_scan.txt \
+# 		--format table
+# 	@if [ -f poetry.lock ]; then rm -f requirements.txt; fi
+# 	@if [ -f src/go.sum ]; then rm -rf src/vendor; fi
 
 trivy-generate-sbom:
-	mkdir -p .trivy_out/
-	trivy fs . \
-		--scanners vuln \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--exit-code 0 \
-		--output .trivy_out/sbom.cdx.json \
-		--format cyclonedx
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy fs . \
+# 		--scanners vuln \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--exit-code 0 \
+# 		--output .trivy_out/sbom.cdx.json \
+# 		--format cyclonedx
 
 trivy-scan-python:
-	mkdir -p .trivy_out/
-	trivy fs . \
-		--scanners vuln \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--exit-code 1 \
-		--skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \
-		--output .trivy_out/dependency_results_python.txt \
-		--format table
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy fs . \
+# 		--scanners vuln \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--exit-code 1 \
+# 		--skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \
+# 		--output .trivy_out/dependency_results_python.txt \
+# 		--format table
 
 trivy-scan-node:
-	mkdir -p .trivy_out/
-	trivy fs . \
-		--scanners vuln \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--exit-code 1 \
-		--skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \
-		--output .trivy_out/dependency_results_node.txt \
-		--format table
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy fs . \
+# 		--scanners vuln \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--exit-code 1 \
+# 		--skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \
+# 		--output .trivy_out/dependency_results_node.txt \
+# 		--format table
 
 trivy-scan-go:
-	mkdir -p .trivy_out/
-	trivy fs . \
-		--scanners vuln \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--exit-code 1 \
-		--skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \
-		--output .trivy_out/dependency_results_go.txt \
-		--format table
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy fs . \
+# 		--scanners vuln \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--exit-code 1 \
+# 		--skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \
+# 		--output .trivy_out/dependency_results_go.txt \
+# 		--format table
 
 trivy-scan-java:
-	mkdir -p .trivy_out/
-	trivy fs . \
-		--scanners vuln \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--include-dev-deps \
-		--exit-code 1 \
-		--skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \
-		--output .trivy_out/dependency_results_java.txt \
-		--format table
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy fs . \
+# 		--scanners vuln \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--include-dev-deps \
+# 		--exit-code 1 \
+# 		--skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \
+# 		--output .trivy_out/dependency_results_java.txt \
+# 		--format table
 
 trivy-scan-docker: guard-DOCKER_IMAGE
-	mkdir -p .trivy_out/
-	trivy image $${DOCKER_IMAGE} \
-		--scanners vuln \
-		--severity HIGH,CRITICAL \
-		--config trivy.yaml \
-		--exit-code 1 \
-		--pkg-types os,library \
-		--output .trivy_out/dependency_results_docker.txt \
-		--format table
+	echo "Not implemented"
+# 	mkdir -p .trivy_out/
+# 	trivy image $${DOCKER_IMAGE} \
+# 		--scanners vuln \
+# 		--severity HIGH,CRITICAL \
+# 		--config trivy.yaml \
+# 		--exit-code 1 \
+# 		--pkg-types os,library \
+# 		--output .trivy_out/dependency_results_docker.txt \
+# 		--format table