diff --git a/Makefile b/Makefile index 8ea9469..0920c27 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ + --rm \ "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ bash diff --git a/README.md b/README.md index 7caaa66..7fa7a29 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ asdf install and setup for these so they are available globally as vscode user Install and setup git-secrets # Using the images -In each eps project, this should be the contents of .devcontainer/Dockerfile. - +## Project setup +In each eps project, `.devcontainer/Dockerfile` should be set to ``` ARG IMAGE_NAME=node_24_python_3_14 ARG IMAGE_VERSION=latest @@ -49,11 +49,7 @@ RUN if [ -n "${DOCKER_GID}" ]; then \ usermod -aG docker vscode; \ fi ``` -And this should be the contents of .devcontainer/devcontainer.json. -This file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments). -The name should be changed to match the name of the project. -IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. -You should not need to add any features as these are already baked into the image +`.devcontainer/devcontainer.json` should be set to. ``` { "name": "eps-common-workflows", @@ -86,7 +82,12 @@ You should not need to add any features as these are already baked into the imag } } ``` +Note - this file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments). +The name should be changed to match the name of the project. +IMAGE_NAME and IMAGE_VERSION should be changed as appropriate. +You should not need to add any features as these are already baked into the image +## Getting image name and version in github actions This job should be used in github actions wherever you need to get the dev container name or tag ``` @@ -106,6 +107,30 @@ This job should be used in github actions wherever you need to get the dev conta echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT" echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT" ``` +## Using images in github actions +To use the image in github actions, you can use code like this +``` +jobs: + my_job_name: + runs-on: ubuntu-22.04 + container: + image: ghcr.io/nhsdigital/eps-devcontainers/:githubactions- + options: --user 1001:1001 --group-add 128 + defaults: + run: + shell: bash + steps: + - name: copy .tool-versions + run: | + cp /home/vscode/.tool-versions "$HOME/.tool-versions" + ... other steps .... +``` +It is important that +- the image specified uses the tag starting githubactions- +- there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group +- the default shell is set to be bash +- the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions + # Project structure We have 4 types of dev container. These are defined under src @@ -235,26 +260,6 @@ For an image built locally, you should put the IMAGE_VERSION=local-build. For an image built from a pull request, you should put the IMAGE_VERSION=. You can only use images built from a pull request for testing changes in github actions. -## Using images in github actions -To use the image in github actions, you can use it in github actions using code like this -``` -jobs: - my_job_name: - runs-on: ubuntu-22.04 - container: - image: ghcr.io/nhsdigital/eps-devcontainers/:githubactions- - options: --user 1001:1001 - steps: - - name: copy .tool-versions - run: | - cp /home/vscode/.tool-versions "$HOME/.tool-versions" - ... other steps .... -``` -It is important that -- the image uses the tag starting githubactions- -- there is `options: --user 1001:1001` below image -- the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions - ## Generating a .trivyignore file You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 10117d1..031b732 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -32,7 +32,7 @@ cfn-guard-sam-templates: SAM_OUTPUT=$$(sam validate -t "$$file" --region eu-west-2 --debug 2>&1 | grep -Pazo "(?s)AWSTemplateFormatVersion.*\\n/" | tr -d "\\0"); \ output_file=".cfn_guard_out/$${file}_$${ruleset}.txt"; \ mkdir -p "$$(dirname "$$output_file")"; \ - echo "$${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \ + echo "$${SAM_OUTPUT::-1}" | /home/vscode/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \ done < <(find ./SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) -print0); \ done\ ' @@ -42,9 +42,9 @@ cfn-guard-cloudformation: rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ mkdir -p .cfn_guard_out; \ for ruleset in "$${rulesets[@]}"; do \ - ~/.guard/bin/cfn-guard validate \ + /home/vscode/.guard/bin/cfn-guard validate \ --data cloudformation \ - --rules "/tmp/ruleset/output/$$ruleset.guard" \ + --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ --show-summary fail \ > ".cfn_guard_out/cloudformation_$$ruleset.txt"; \ done\ @@ -55,9 +55,9 @@ cfn-guard-cdk: rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ mkdir -p .cfn_guard_out; \ for ruleset in "$${rulesets[@]}"; do \ - ~/.guard/bin/cfn-guard validate \ + /home/vscode/.guard/bin/cfn-guard validate \ --data cdk.out \ - --rules "/tmp/ruleset/output/$$ruleset.guard" \ + --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ --show-summary fail \ > ".cfn_guard_out/cdk_$$ruleset.txt"; \ done\ @@ -68,9 +68,9 @@ cfn-guard-terraform: rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \ mkdir -p .cfn_guard_out; \ for ruleset in "$${rulesets[@]}"; do \ - ~/.guard/bin/cfn-guard validate \ + /home/vscode/.guard/bin/cfn-guard validate \ --data terraform_plans \ - --rules "/tmp/ruleset/output/$$ruleset.guard" \ + --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \ --show-summary fail \ > ".cfn_guard_out/terraform_$$ruleset.txt"; \ done\ diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk index 9bb3ef6..6d323a2 100644 --- a/src/base/.devcontainer/Mk/trivy.mk +++ b/src/base/.devcontainer/Mk/trivy.mk @@ -85,7 +85,6 @@ trivy-scan-docker: guard-DOCKER_IMAGE --scanners vuln \ --severity HIGH,CRITICAL \ --config trivy.yaml \ - --include-dev-deps \ --exit-code 1 \ --pkg-types os,library \ --output .trivy_out/dependency_results_docker.txt \ diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index c0e96f7..b1b66de 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -22,7 +22,7 @@ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install cfn-guard -$ curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh +curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh # install base asdf versions of common tools cd /home/vscode