diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 7ea50c1..8075f67 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -8,6 +8,9 @@ name: build_all_images tag_latest: required: true type: boolean + NO_CACHE: + required: true + type: boolean env: BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: @@ -32,6 +35,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base base_folder: "." + NO_CACHE: ${{ inputs.NO_CACHE }} package_language_docker_images: needs: - package_base_docker_image @@ -46,6 +50,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "languages" + NO_CACHE: ${{ inputs.NO_CACHE }} package_project_docker_images: needs: - package_language_docker_images @@ -61,3 +66,4 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "projects" + NO_CACHE: ${{ inputs.NO_CACHE }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 99d4bc6..0d08f4a 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,6 +14,9 @@ name: Build and push docker image base_folder: required: true type: string + NO_CACHE: + required: true + type: boolean jobs: build_and_push_image: @@ -87,6 +90,7 @@ jobs: BASE_VERSION_TAG: ${{ inputs.docker_tag}} IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" + NO_CACHE: '${{ inputs.NO_CACHE }}' - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9413459..529c86a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,3 +45,4 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: false + NO_CACHE: false diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a9a7634..7edbec3 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,3 +92,4 @@ jobs: with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false + NO_CACHE: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35f2718..15d64c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,3 +46,4 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: true + NO_CACHE: true diff --git a/Makefile b/Makefile index 8d9c358..fa8623f 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,10 @@ ifneq ($(strip $(PLATFORM)),) PLATFORM_FLAG=--platform $(PLATFORM) endif +ifeq ($(strip $(NO_CACHE)),true) +NO_CACHE_FLAG=--no-cache +endif + guard-%: @ if [ "${${*}}" = "" ]; then \ echo "Environment variable $* not set"; \ @@ -24,6 +28,7 @@ install-hooks: install-python build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ + $(NO_CACHE_FLAG) \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" diff --git a/README.md b/README.md index b5ba50d..6300a93 100644 --- a/README.md +++ b/README.md @@ -61,29 +61,30 @@ You should not need to add any features as these are already baked into the imag "name": "eps-common-workflows", "build": { "dockerfile": "Dockerfile", + "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "v1.0.1", + "IMAGE_VERSION": "local-build", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, "updateRemoteUserUID": false, - "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - ... add any customisations you want here - } + }, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + .... } } ``` @@ -153,7 +154,7 @@ CONTAINER_NAME=base \ ``` Language images ``` -CONTAINER_NAME=node_24_python_3_12 \ +CONTAINER_NAME=node_24_python_3_13 \ BASE_VERSION_TAG=local-build \ BASE_FOLDER=languages \ IMAGE_TAG=local-build \ @@ -214,17 +215,26 @@ CONTAINER_NAME=fhir_facade_api \ ``` ## Using local or pull request images -You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json +You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json. +For an image built locally, you should put the IMAGE_VERSION=local-build. +For an image built from a pull request, you should put the IMAGE_VERSION=. +You can only use images built from a pull request for testing changes in github actions. ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json -If generated locally, then the output goes into .out/scan_results_docker.json +If generated locally, then the output goes into .out/scan_results_docker.json. +You can use github cli tools to download the scan output file. Replace the run id from the url, and the -n with the filename to download +``` +gh run download -n scan_results_docker_fhir_facade_api_arm64.json +``` + +Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file + -Once you have the scan output, use the following to generate a .trivyignore ``` poetry run python \ scripts/trivy_to_trivyignore.py \ --input .out/scan_results_docker.json \ - --output src/common/.trivyignore.yaml + --output src/projects/fhir_facade_api/.trivyignore.new.yaml ``` diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 7faa350..7e75348 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -12,10 +12,6 @@ "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": { "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { "version": "latest", diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 3c8fb35..100a86b 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 3c8fb35..100a86b 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 7d1b3e9..19adae8 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index aa03d36..f593cf2 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index 6b10ee8..95c0a22 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 639428a..4443daa 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -65,3 +65,43 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-13 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16