Breaking: [AEA-0000] - Use zizmor and anchore tools

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "v1.4.4",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# restrict access to approving workflow changes
+.github/workflows/ @NHSDigital/eps-admins

.github/workflows/dependabot-auto-approve-and-merge.yml

@@ -8,14 +8,14 @@ on:
             AUTOMERGE_PEM:
                 required: true
 
-permissions:
-    pull-requests: write
-    contents: write
-
+permissions: {}
 jobs:
     dependabot:
         runs-on: ubuntu-22.04
-        if: ${{ github.actor == 'dependabot[bot]' }}
+        permissions:
+            pull-requests: write
+            contents: write
+        if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'eps-create-pull-request[bot]') && github.repository == github.event.pull_request.head.repo.full_name
         steps:
             - name: Get token from Github App
               id: get_app_token

.github/workflows/get-repo-config.yml

@@ -39,9 +39,14 @@ on:
                 description: Resolved digest for the supplied image reference
                 value: ${{ jobs.verify_attestation.outputs.resolved_digest }}
 
+permissions: {}
 jobs:
     get_config_values:
         runs-on: ubuntu-22.04
+        permissions:
+            attestations: read
+            contents: read
+            packages: read
         outputs:
             tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
             devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
@@ -51,8 +56,8 @@ jobs:
             - name: Checkout code
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               with:
-                  ref: ${{ env.BRANCH_NAME }}
                   fetch-depth: 0
+                  persist-credentials: false
 
             - name: Load config value
               id: load-config

.github/workflows/pr_title_check.yml

@@ -3,6 +3,7 @@ name: PR Title Check
 on:
     workflow_call:
 
+permissions: {}
 jobs:
     pr_title_format_check:
         runs-on: ubuntu-22.04
@@ -50,43 +51,6 @@ jobs:
                     exit 1
                   fi
 
-            - name: Comment on PR with Jira Link
-              if: steps.extract_ticket_reference.outcome == 'success' && steps.extract_ticket_reference.outputs.TICKET_REF != 'dependabot'
-              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  TICKET_REF: ${{ steps.extract_ticket_reference.outputs.TICKET_REF }}
-              with:
-                  message: |
-                      This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:
-                      # [${{ env.TICKET_REF }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_REF }})
-                  comment-tag: pr-link
-
-            - name: Comment on PR for dependabot
-              if: steps.extract_ticket_reference.outcome == 'success' && steps.extract_ticket_reference.outputs.TICKET_REF == 'dependabot'
-              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              with:
-                  message: |
-                      This PR is raised by Dependabot to update a dependency.
-                  comment-tag: pr-link
-
-            - name: Comment on PR for bad format
-              if: steps.check_prefix.outcome != 'success' || steps.check_ticket_reference.outcome != 'success'
-              uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              with:
-                  message: |
-                      The PR title does not conform to the required format.
-                      Please ensure your PR title is prefixed with a change type (Fix, Update, New, Breaking, Docs, Build, Upgrade, Chore)
-                      and contains a ticket reference (eg. 'Fix: [AEA-####] - ...', or 'Chore: [dependabot] - ...'),
-                      then push an empty commit or recreate your PR.
-                      See the contributing guide for more details:
-                      https://github.com/NHSDigital/eps-common-workflows/blob/main/CONTRIBUTING.md
-                  comment-tag: pr-link
-
             - name: Fail job due to invalid PR title format
               if: steps.check_prefix.outcome != 'success' || steps.check_ticket_reference.outcome != 'success'
               run: |

.github/workflows/pull_request.yml

@@ -7,25 +7,39 @@ on:
 env:
   BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
 
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: ./.github/workflows/dependabot-auto-approve-and-merge.yml
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
 
   pr_title_format_check:
     uses: ./.github/workflows/pr_title_check.yml
+    permissions:
+      pull-requests: write
 
   get_config_values:
     uses: ./.github/workflows/get-repo-config.yml
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
     with:
       verify_published_from_main_image: false
 
   quality_checks:
     uses: ./.github/workflows/quality-checks-devcontainer.yml
     needs: [get_config_values]
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     secrets:
@@ -43,4 +57,3 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit

.github/workflows/quality-checks-devcontainer.yml

@@ -25,9 +25,15 @@ on:
         type: string
         required: true
 
+permissions: {}
+
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     container:
       image: ${{ inputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
@@ -36,16 +42,19 @@ jobs:
         shell: bash
     steps:
       - &init_tool_versions
-        name: copy .tool-versions
+        name: copy needed files from devcontainer user to runner home directory or bin directory
         run: |
           cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+          cp /home/vscode/.grant.yaml "$HOME/.grant.yaml"
+          mkdir -p "$HOME/.local/bin"
+          sudo cp /home/vscode/.local/bin/zizmor /usr/local/bin/zizmor
 
       - &checkout
         name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
+          persist-credentials: false
 
       - &setup_npmrc
         name: Setting up .npmrc
@@ -67,12 +76,18 @@ jobs:
           make install
       - name: Run secrets scan
         run: |
+          git-secrets --register-aws
+          git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt
           make secret-scan
       - name: Run actionlint
         run: |
           make actionlint
 
-      - name: Check language tools used and setup trivy config
+      - name: Run zizmor
+        run: |
+          make zizmor
+
+      - name: Check language tools used
         id: check_languages
         run: |
           if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then
@@ -121,14 +136,7 @@ jobs:
           fi
       - name: Check licenses
         run: |
-          make trivy-license-check
-
-      - name: Show license scan output
-        if: always()
-        run: |
-          if [ -f license_scan.txt ]; then
-            cat .trivy_out/license_scan.txt
-          fi
+          make grant-scan
       - name: Run code lint
         run: |
           make lint
@@ -140,51 +148,19 @@ jobs:
       - name: Run unit tests
         run: |
           make test
-      - name: make generate sbom
+      - name: Generate sbom
         run: |
-          make trivy-generate-sbom
+          make syft-generate-sbom-dev-dependencies
       - name: Upload sbom
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
-          name: sbom.cdx.json
-          path: .trivy_out/sbom.cdx.json
+          name: sbom.dev.cdx.json
+          path: .sbom/sbom.dev.cdx.json
 
-      - name: Check python vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
+      - name: Check vulnerabilities
         run: |
-          make trivy-scan-python
+          make grype-scan-dev-dependencies
 
-      - name: Check node vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_node == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-node
-      - name: Check go vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_go == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-go
-      - name: Check java vulnerabilities
-        if: ${{ steps.check_languages.outputs.uses_java == 'true' }}
-        continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
-        run: |
-          make trivy-scan-java
-      - name: Show vulnerability output
-        if: always()
-        run: |
-          if [ -f .trivy_out/dependency_results_python.txt ]; then
-            cat .trivy_out/dependency_results_python.txt
-          fi
-          if [ -f .trivy_out/dependency_results_node.txt ]; then
-            cat .trivy_out/dependency_results_node.txt
-          fi
-          if [ -f .trivy_out/dependency_results_java.txt ]; then
-            cat .trivy_out/dependency_results_java.txt
-          fi
-          if [ -f .trivy_out/dependency_results_go.txt ]; then
-            cat .trivy_out/dependency_results_go.txt
-          fi
       - name: "check is SONAR_TOKEN exists"
         env:
           super_secret: ${{ secrets.SONAR_TOKEN }}
@@ -279,6 +255,10 @@ jobs:
           echo "images=$NORMALIZED" >> "$GITHUB_OUTPUT"
 
   docker_vulnerability_scan:
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     runs-on: ubuntu-22.04
     needs: get_docker_images_to_scan
     container:
@@ -310,19 +290,15 @@ jobs:
       - name: Check docker vulnerabilities
         continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
         run: |
-          make trivy-scan-docker
+          make grype-scan-docker-image
         env:
           DOCKER_IMAGE: ${{ matrix.docker_image }}
 
-      - name: Show docker vulnerability output
-        if: always()
-        run: |
-          echo "Scan output for ${{ matrix.docker_image }}"
-          if [ -f .trivy_out/dependency_results_docker.txt ]; then
-            cat .trivy_out/dependency_results_docker.txt
-          fi
-
   IaC-validation:
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     runs-on: ubuntu-22.04
     container:
       image: ${{ inputs.pinned_image }}