From ce43c3821fa668fb8aee71b2b33081198eb00251 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 14:04:33 +0000 Subject: [PATCH 1/7] add no cache --- .github/workflows/build_all_images.yml | 6 ++++++ .github/workflows/build_multi_arch_image.yml | 4 ++++ .github/workflows/ci.yml | 1 + .github/workflows/pull_request.yml | 1 + .github/workflows/release.yml | 1 + Makefile | 5 +++++ README.md | 7 +++++-- src/base/.devcontainer/devcontainer.json | 4 ---- src/base/.devcontainer/scripts/vscode_install.sh | 4 ++++ .../node_24_python_3_12/.devcontainer/devcontainer.json | 4 ---- .../node_24_python_3_13/.devcontainer/devcontainer.json | 4 ---- .../node_24_python_3_14/.devcontainer/devcontainer.json | 4 ---- src/languages/python_3_10/.devcontainer/devcontainer.json | 4 ---- .../fhir_facade_api/.devcontainer/devcontainer.json | 4 ---- 14 files changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 7ea50c1..8075f67 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -8,6 +8,9 @@ name: build_all_images tag_latest: required: true type: boolean + NO_CACHE: + required: true + type: boolean env: BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' jobs: @@ -32,6 +35,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: base base_folder: "." + NO_CACHE: ${{ inputs.NO_CACHE }} package_language_docker_images: needs: - package_base_docker_image @@ -46,6 +50,7 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "languages" + NO_CACHE: ${{ inputs.NO_CACHE }} package_project_docker_images: needs: - package_language_docker_images @@ -61,3 +66,4 @@ jobs: docker_tag: ${{ inputs.docker_tag }} container_name: ${{ matrix.container_name }} base_folder: "projects" + NO_CACHE: ${{ inputs.NO_CACHE }} diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 99d4bc6..0d08f4a 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -14,6 +14,9 @@ name: Build and push docker image base_folder: required: true type: string + NO_CACHE: + required: true + type: boolean jobs: build_and_push_image: @@ -87,6 +90,7 @@ jobs: BASE_VERSION_TAG: ${{ inputs.docker_tag}} IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" BASE_FOLDER: "${{ inputs.base_folder }}" + NO_CACHE: '${{ inputs.NO_CACHE }}' - name: Check docker vulnerabilities - json output uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9413459..529c86a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,3 +45,4 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: false + NO_CACHE: false diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a9a7634..7edbec3 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -92,3 +92,4 @@ jobs: with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false + NO_CACHE: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35f2718..15d64c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,3 +46,4 @@ jobs: with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: true + NO_CACHE: true diff --git a/Makefile b/Makefile index 8d9c358..fa8623f 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,10 @@ ifneq ($(strip $(PLATFORM)),) PLATFORM_FLAG=--platform $(PLATFORM) endif +ifeq ($(strip $(NO_CACHE)),true) +NO_CACHE_FLAG=--no-cache +endif + guard-%: @ if [ "${${*}}" = "" ]; then \ echo "Environment variable $* not set"; \ @@ -24,6 +28,7 @@ install-hooks: install-python build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ + $(NO_CACHE_FLAG) \ --push false \ --cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \ --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" diff --git a/README.md b/README.md index b5ba50d..d34d8cf 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ CONTAINER_NAME=base \ ``` Language images ``` -CONTAINER_NAME=node_24_python_3_12 \ +CONTAINER_NAME=node_24_python_3_14 \ BASE_VERSION_TAG=local-build \ BASE_FOLDER=languages \ IMAGE_TAG=local-build \ @@ -214,7 +214,10 @@ CONTAINER_NAME=fhir_facade_api \ ``` ## Using local or pull request images -You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json +You can use local or pull request images by changing IMAGE_VERSION in devcontainer.json. +For an image built locally, you should put the IMAGE_VERSION=local-build. +For an image built from a pull request, you should put the IMAGE_VERSION=. +You can only use images built from a pull request for testing changes in github actions. ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index 7faa350..7e75348 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -12,10 +12,6 @@ "IMAGE_TAG": "${localEnv:IMAGE_TAG}" } }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": { "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { "version": "latest", diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 5f1a123..fbda3ee 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -24,3 +24,7 @@ asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install base asdf versions of common tools cd /home/vscode asdf install + +# create .ssh/known_hosts to prevent devcontainer copying from localhost +mkdir -p /home/vscode/.ssh +echo "" > /home/vscode/.ssh/known_hosts diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 3c8fb35..100a86b 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 3c8fb35..100a86b 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 7d1b3e9..19adae8 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json index aa03d36..f593cf2 100644 --- a/src/languages/python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index 6b10ee8..95c0a22 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -13,10 +13,6 @@ }, "context": "." }, - "runArgs": [ - "--network=host" - ], - "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, "features": {} } From f239fd935623bf3adf19ed0e11ea2476449d70cb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 14:35:43 +0000 Subject: [PATCH 2/7] remove it --- src/base/.devcontainer/scripts/vscode_install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index fbda3ee..5f1a123 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -24,7 +24,3 @@ asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install base asdf versions of common tools cd /home/vscode asdf install - -# create .ssh/known_hosts to prevent devcontainer copying from localhost -mkdir -p /home/vscode/.ssh -echo "" > /home/vscode/.ssh/known_hosts From 48b6da0c9dd35af38ab61ebb0167a90d1736c5bf Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 15:03:54 +0000 Subject: [PATCH 3/7] update readme --- README.md | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index d34d8cf..df24dec 100644 --- a/README.md +++ b/README.md @@ -61,29 +61,30 @@ You should not need to add any features as these are already baked into the imag "name": "eps-common-workflows", "build": { "dockerfile": "Dockerfile", + "context": "..", "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_14", - "IMAGE_VERSION": "v1.0.1", + "IMAGE_VERSION": "local-build", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" - }, - "updateRemoteUserUID": false, - "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", - "mounts": [ - "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", - "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" - ], - "containerUser": "vscode", - "remoteEnv": { - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "features": {}, - "customizations": { - ... add any customisations you want here } + }, + "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", + "mounts": [ + "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", + "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" + ], + "updateRemoteUserUID": false, + "containerUser": "vscode", + "remoteEnv": { + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "features": {}, + "customizations": { + .... } } ``` From f800a3609daa1ad85a974705ae4fb6ad23c0a210 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 15:08:06 +0000 Subject: [PATCH 4/7] update ignore --- README.md | 6 ++++-- .../fhir_facade_api/.trivyignore.yaml | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index df24dec..1243341 100644 --- a/README.md +++ b/README.md @@ -225,10 +225,12 @@ You can generate a .trivyignore file for known vulnerabilities by either downloa If generated locally, then the output goes into .out/scan_results_docker.json -Once you have the scan output, use the following to generate a .trivyignore +Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file + + ``` poetry run python \ scripts/trivy_to_trivyignore.py \ --input .out/scan_results_docker.json \ - --output src/common/.trivyignore.yaml + --output src/common/.trivyignore.new.yaml ``` diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 639428a..61637f4 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -65,3 +65,23 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-13 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-16 From 327bc65aa6894c2b340e203e6ce4d49526f90352 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 15:23:59 +0000 Subject: [PATCH 5/7] update readme --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1243341..e49202c 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,11 @@ You can only use images built from a pull request for testing changes in github ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json -If generated locally, then the output goes into .out/scan_results_docker.json +If generated locally, then the output goes into .out/scan_results_docker.json. +You can use github cli tools to download the scan output file. Replace the run id from the url, and the -n with the filename to download +``` +gh run download -n scan_results_docker_fhir_facade_api_arm64.json +``` Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file From 435bc5f2bdec7ac211e2541c68ea9422a4aa2bf2 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 15:53:56 +0000 Subject: [PATCH 6/7] really fix trivyignore --- .../fhir_facade_api/.trivyignore.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml index 61637f4..4443daa 100644 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -85,3 +85,23 @@ vulnerabilities: purls: - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" expired_at: 2026-08-16 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-16 From 0aba7f95e3c48625d4d7653c2e7705e9eb764899 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 16 Feb 2026 16:20:31 +0000 Subject: [PATCH 7/7] fix readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e49202c..6300a93 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,8 @@ You should not need to add any features as these are already baked into the imag "IMAGE_VERSION": "local-build", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" - } + }, + "updateRemoteUserUID": false, }, "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt", "mounts": [ @@ -77,7 +78,6 @@ You should not need to add any features as these are already baked into the imag "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind", "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind" ], - "updateRemoteUserUID": false, "containerUser": "vscode", "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" @@ -154,7 +154,7 @@ CONTAINER_NAME=base \ ``` Language images ``` -CONTAINER_NAME=node_24_python_3_14 \ +CONTAINER_NAME=node_24_python_3_13 \ BASE_VERSION_TAG=local-build \ BASE_FOLDER=languages \ IMAGE_TAG=local-build \ @@ -236,5 +236,5 @@ Once you have the scan output, use the following to generate a new .trivyignore poetry run python \ scripts/trivy_to_trivyignore.py \ --input .out/scan_results_docker.json \ - --output src/common/.trivyignore.new.yaml + --output src/projects/fhir_facade_api/.trivyignore.new.yaml ```