From aad17bc350e1e862e6b5c591947ef8754802c3bf Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 10:04:21 +0000 Subject: [PATCH 01/29] add zizmor --- .devcontainer/Dockerfile.bootstrap | 15 - .github/workflows/build_multi_arch_image.yml | 7 - .trivyignore.yaml | 529 ------------------ Makefile | 35 -- README.md | 43 +- scripts/trivy_to_trivyignore.py | 151 ----- src/base/.devcontainer/.tool-versions | 1 + src/base/.devcontainer/Dockerfile | 15 +- src/base/.devcontainer/Dockerfile.trivy.amd64 | 8 - src/base/.devcontainer/Dockerfile.trivy.arm64 | 8 - src/base/.devcontainer/Mk/check.mk | 3 + src/base/.devcontainer/Mk/trivy.mk | 76 --- .../.devcontainer/scripts/install_trivy.sh | 68 --- .../.devcontainer/scripts/vscode_install.sh | 5 +- src/base/.trivyignore.yaml | 1 - src/base/trivy.yaml | 1 - src/base_node/node_24/trivy.yaml | 1 - src/common/.trivyignore.yaml | 441 --------------- .../node_24_python_3_10/.trivyignore.yaml | 16 - src/languages/node_24_python_3_10/trivy.yaml | 1 - .../node_24_python_3_12/.trivyignore.yaml | 1 - src/languages/node_24_python_3_12/trivy.yaml | 1 - .../node_24_python_3_13/.trivyignore.yaml | 1 - src/languages/node_24_python_3_13/trivy.yaml | 1 - .../node_24_python_3_14/.trivyignore.yaml | 11 - src/languages/node_24_python_3_14/trivy.yaml | 1 - .../eps-storage-terraform/.trivyignore.yaml | 117 ---- src/projects/eps-storage-terraform/trivy.yaml | 1 - .../fhir_facade_api/.trivyignore.yaml | 51 -- src/projects/fhir_facade_api/trivy.yaml | 1 - .../.trivyignore.yaml | 21 - .../trivy.yaml | 1 - .../.trivyignore.yaml | 11 - .../node_24_python_3_14_java_24/trivy.yaml | 1 - .../regression_tests/.trivyignore.yaml | 75 --- src/projects/regression_tests/trivy.yaml | 1 - trivy.yaml | 1 - 37 files changed, 18 insertions(+), 1704 deletions(-) delete mode 100644 .trivyignore.yaml delete mode 100644 scripts/trivy_to_trivyignore.py delete mode 100644 src/base/.devcontainer/Dockerfile.trivy.amd64 delete mode 100644 src/base/.devcontainer/Dockerfile.trivy.arm64 delete mode 100755 src/base/.devcontainer/scripts/install_trivy.sh delete mode 100644 src/base/.trivyignore.yaml delete mode 100644 src/base/trivy.yaml delete mode 100644 src/base_node/node_24/trivy.yaml delete mode 100644 src/common/.trivyignore.yaml delete mode 100644 src/languages/node_24_python_3_10/.trivyignore.yaml delete mode 100644 src/languages/node_24_python_3_10/trivy.yaml delete mode 100644 src/languages/node_24_python_3_12/.trivyignore.yaml delete mode 100644 src/languages/node_24_python_3_12/trivy.yaml delete mode 100644 src/languages/node_24_python_3_13/.trivyignore.yaml delete mode 100644 src/languages/node_24_python_3_13/trivy.yaml delete mode 100644 src/languages/node_24_python_3_14/.trivyignore.yaml delete mode 100644 src/languages/node_24_python_3_14/trivy.yaml delete mode 100644 src/projects/eps-storage-terraform/.trivyignore.yaml delete mode 100644 src/projects/eps-storage-terraform/trivy.yaml delete mode 100644 src/projects/fhir_facade_api/.trivyignore.yaml delete mode 100644 src/projects/fhir_facade_api/trivy.yaml delete mode 100644 src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml delete mode 100644 src/projects/node_24_python_3_14_golang_1_24/trivy.yaml delete mode 100644 src/projects/node_24_python_3_14_java_24/.trivyignore.yaml delete mode 100644 src/projects/node_24_python_3_14_java_24/trivy.yaml delete mode 100644 src/projects/regression_tests/.trivyignore.yaml delete mode 100644 src/projects/regression_tests/trivy.yaml delete mode 100644 trivy.yaml diff --git a/.devcontainer/Dockerfile.bootstrap b/.devcontainer/Dockerfile.bootstrap index a4a6ccd..001885d 100644 --- a/.devcontainer/Dockerfile.bootstrap +++ b/.devcontainer/Dockerfile.bootstrap @@ -1,16 +1,3 @@ -# This can be used to bootstrap devcontainer when no images have been pushed -FROM alpine:3.23.3 AS build -ARG TARGETARCH -RUN apk add --no-cache cosign bash curl jq -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN case "${TARGETARCH}" in \ - x86_64|amd64) TRIVY_ARCH=64bit ;; \ - aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ - *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ - esac \ - && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh - - FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} @@ -75,8 +62,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ chmod 755 /usr/share/secrets-scanner && \ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy - USER vscode ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 10ee80c..269408f 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -63,13 +63,6 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 - # - name: setup trivy - # run: | - # mkdir -p "$RUNNER_TEMP/bin" - # docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . - # echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" - # env: - # ARCH: '${{ matrix.arch }}' - name: setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 62fcf7b..0000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,529 +0,0 @@ -vulnerabilities: - - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index 08da340..37286c9 100644 --- a/Makefile +++ b/Makefile @@ -82,43 +82,9 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER echo "Not implemented" -# mkdir -p .out -# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ -# common="src/common/.trivyignore.yaml"; \ -# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ -# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ -# exit_code="$${EXIT_CODE:-1}"; \ -# echo "vulnerabilities:" > "$$combined"; \ -# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ -# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ -# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ -# trivy image \ -# --severity HIGH,CRITICAL \ -# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ -# --scanners vuln \ -# --exit-code $$exit_code \ -# --format table \ -# --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG echo "Not implemented" -# mkdir -p .out -# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ -# common="src/common/.trivyignore.yaml"; \ -# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ -# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ -# exit_code="$${EXIT_CODE:-1}"; \ -# echo "vulnerabilities:" > "$$combined"; \ -# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ -# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ -# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ -# trivy image \ -# --severity HIGH,CRITICAL \ -# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ -# --scanners vuln \ -# --exit-code "$$exit_code" \ -# --format json \ -# --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ @@ -139,7 +105,6 @@ lint-githubaction-scripts: clean: rm -rf .out - find . -type f -name '.trivyignore_combined.yaml' -delete %: @$(MAKE) -f /usr/local/share/eps/Mk/common.mk $@ diff --git a/README.md b/README.md index 388b233..c19dd83 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ EPS DEV CONTAINERS - [Building images](#building-images) - [Scanning images](#scanning-images) - [Interactive shell on image](#interactive-shell-on-image) -- [Generating a .trivyignore file](#generating-a-trivyignore-file) - [Cleaning up unused container images](#cleaning-up-unused-container-images) # Introduction @@ -45,10 +44,10 @@ asdf install and setup for these so they are available globally as vscode user - direnv - actionlint - ruby (for GitHub Pages) - - Trivy - yq Install and setup git-secrets +Install [zizmor](https://github.com/zizmorcore/zizmor) # Using the images ## Project setup @@ -186,13 +185,14 @@ Credentials targets (`credentials.mk`) - `create-npmrc` - depends on `github-login`, then writes `.npmrc` with a GitHub Packages auth token and `@nhsdigital` registry Trivy targets (`trivy.mk`) -- `trivy-license-check` - runs Trivy license scan (HIGH/CRITICAL) and writes `.trivy_out/license_scan.txt` -- `trivy-generate-sbom` - generates CycloneDX SBOM at `.trivy_out/sbom.cdx.json` -- `trivy-scan-python` - scans Python dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_python.txt` -- `trivy-scan-node` - scans Node dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_node.txt` -- `trivy-scan-go` - scans Go dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_go.txt` -- `trivy-scan-java` - scans Java dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_java.txt` -- `trivy-scan-docker` - scans a built image (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_docker.txt` (requires `DOCKER_IMAGE`), for example: +These are all changed to not run anything and will be removed in a future release +- `trivy-license-check` +- `trivy-generate-sbom` +- `trivy-scan-python` +- `trivy-scan-node` +- `trivy-scan-go` +- `trivy-scan-java` +- `trivy-scan-docker` # Project structure We have 5 types of dev container. These are defined under src @@ -207,17 +207,13 @@ Each image to be built contains a .devcontainer folder that defines how the devc Images under languages should point to a Dockerfile under src/common or src/common_node_24 that is based off the base or node image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. -We use Trivy to scan for vulnerabilities in the built Docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` files in each image folder. These are combined before running a scan to exclude all known vulnerabilities - # Pull requests and merge to main process -For each pull request, and merge to main, images are built and scanned using Trivy, and pushed to GitHub Container Registry. +For each pull request, and merge to main, images are built, and pushed to GitHub Container Registry. Docker images are built for AMD64 and ARM64 architecture, and a combined manifest is created and pushed as part of the build. The main images have a vscode user with ID 1000. A separately tagged image is also created with the vscode user mapped to user ID 1001 so it can be used by GitHub Actions. The base image is built first, and then language images, and finally project images. -Docker images are scanned for vulnerabilities using Trivy as part of a build step, and the build fails if vulnerabilities are found that are not in the .trivyignore file. - For pull requests, images are tagged with the pr-{pull request id}-{short commit sha}. For merges to main, images are tagged with the ci-{short commit sha}. GitHub Actions images are tagged with githubactions-{full tag} @@ -335,25 +331,6 @@ CONTAINER_NAME=base \ make shell-image ``` -# Generating a .trivyignore file -You can generate a .trivyignore file for known vulnerabilities by either downloading the JSON scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json - -If generated locally, then the output goes into .out/scan_results_docker.json. -You can use GitHub CLI tools to download the scan output file. Replace the run ID from the URL, and the -n with the filename to download -``` -gh run download -n scan_results_docker_fhir_facade_api_arm64.json -``` - -Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file - - -``` -poetry run python \ - scripts/trivy_to_trivyignore.py \ - --input .out/scan_results_docker.json \ - --output src/projects/fhir_facade_api/.trivyignore.new.yaml -``` - # Cleaning up unused container images There is a script to delete unused container images. This runs on every merge to main and deletes pull request images, and on a weekly schedule it deletes images created by CI. diff --git a/scripts/trivy_to_trivyignore.py b/scripts/trivy_to_trivyignore.py deleted file mode 100644 index bcbb023..0000000 --- a/scripts/trivy_to_trivyignore.py +++ /dev/null @@ -1,151 +0,0 @@ -#!/usr/bin/env python3 -"""Convert Trivy JSON output into a .trivyignore YAML file.""" - -import argparse -import datetime as dt -import json -from pathlib import Path -from typing import Any, Dict, Iterable, List, Optional - - -def add_months(date_value: dt.date, months: int) -> dt.date: - """ - Add months to a date, clamping the day to the last day of the target month. - """ - if months == 0: - return date_value - - month_index = date_value.month - 1 + months - year = date_value.year + month_index // 12 - month = month_index % 12 + 1 - - # Clamp day to the last day of the target month. - next_year = year + (1 if month == 12 else 0) - next_month = 1 if month == 12 else month + 1 - first_of_next = dt.date(next_year, next_month, 1) - last_day = first_of_next - dt.timedelta(days=1) - day = min(date_value.day, last_day.day) - return dt.date(year, month, day) - - -def extract_vulnerabilities(data: Dict[str, Any]) -> List[Dict[str, Any]]: - """Collect vulnerability entries from Trivy JSON output.""" - results = data.get("Results", []) - if not isinstance(results, list): - return [] - - vulnerabilities: List[Dict[str, Any]] = [] - for result in results: - if not isinstance(result, dict): - continue - for vuln in result.get("Vulnerabilities", []) or []: - if isinstance(vuln, dict): - vulnerabilities.append(vuln) - return vulnerabilities - - -def normalize_purl(vuln: Dict[str, Any]) -> Optional[str]: - identifier = vuln.get("PkgIdentifier") - if isinstance(identifier, dict): - purl = identifier.get("PURL") - if isinstance(purl, str) and purl.strip(): - return purl.strip() - return None - - -def build_entries( - vulnerabilities: Iterable[Dict[str, Any]], - expires_on: dt.date -) -> List[Dict[str, Any]]: - """Build YAML entries with de-duplication by CVE, merging PURLs.""" - entries: Dict[str, Dict[str, Any]] = {} - - for vuln in vulnerabilities: - vuln_id = vuln.get("VulnerabilityID") - title = vuln.get("Title") - purl = normalize_purl(vuln) - - if not isinstance(vuln_id, str) or not vuln_id.strip(): - continue - if not isinstance(title, str) or not title.strip(): - continue - - key = vuln_id.strip() - entry = entries.get(key) - if entry is None: - entry = { - "id": key, - "statement": title.strip(), - "purls": set(), - "expired_at": expires_on.isoformat(), - } - entries[key] = entry - - if purl: - entry["purls"].add(purl) - - merged_entries: List[Dict[str, Any]] = [] - for entry in entries.values(): - purls = sorted(entry["purls"]) - if purls: - entry["purls"] = purls - else: - entry.pop("purls", None) - merged_entries.append(entry) - - return merged_entries - - -def write_yaml(entries: List[Dict[str, Any]], output_path: Path) -> None: - """Write entries to a YAML file without external dependencies.""" - lines: List[str] = ["vulnerabilities:"] - for entry in entries: - lines.append(f" - id: {entry['id']}") - lines.append(f" statement: {json.dumps(entry['statement'])}") - if "purls" in entry: - lines.append(" purls:") - for purl in entry["purls"]: - lines.append(f" - {json.dumps(purl)}") - lines.append(f" expired_at: {entry['expired_at']}") - - output_path.parent.mkdir(parents=True, exist_ok=True) - output_path.write_text("\n".join(lines) + "\n", encoding="utf-8") - - -def parse_args() -> argparse.Namespace: - parser = argparse.ArgumentParser( - description="Convert Trivy JSON output to .trivyignore YAML." - ) - parser.add_argument( - "--input", - required=True, - help="Path to the Trivy JSON output file.", - ) - parser.add_argument( - "--output", - required=True, - help="Path to write the .trivyignore YAML file.", - ) - return parser.parse_args() - - -def main() -> int: - args = parse_args() - input_path = Path(args.input) - output_path = Path(args.output) - - if not input_path.is_file(): - raise FileNotFoundError(f"Input file not found: {input_path}") - - data = json.loads(input_path.read_text(encoding="utf-8")) - vulnerabilities = extract_vulnerabilities(data) - - expires_on = add_months(dt.date.today(), 6) - entries = build_entries(vulnerabilities, expires_on) - - write_yaml(entries, output_path) - return 0 - - -if __name__ == "__main__": - raise SystemExit(main()) diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index 7aaf5f8..198f81c 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -3,3 +3,4 @@ direnv 2.37.1 actionlint 1.7.11 ruby 3.3.0 yq 4.52.4 +rust 1.94.0 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 8b1f4fd..695595f 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,14 +1,3 @@ -# FROM alpine:3.23.3 AS build -# ARG TARGETARCH -# RUN apk add --no-cache cosign bash curl jq -# COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh -# RUN case "${TARGETARCH}" in \ -# x86_64|amd64) TRIVY_ARCH=64bit ;; \ -# aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ -# *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ -# esac \ -# && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh - FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG SCRIPTS_DIR=/usr/local/share/eps @@ -27,14 +16,12 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh -# COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy - COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions -ENV PATH="/home/vscode/.asdf/shims/:/home/vscode/.guard/bin/:$PATH" +ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.guard/bin:/home/vscode/.cargo/bin:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 deleted file mode 100644 index 4a719ad..0000000 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ /dev/null @@ -1,8 +0,0 @@ -FROM alpine:3.23.3 AS build -RUN apk add --no-cache cosign bash curl jq -COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh - -FROM scratch -COPY --from=build /tmp/trivy/trivy / -ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 deleted file mode 100644 index 899ea76..0000000 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ /dev/null @@ -1,8 +0,0 @@ -FROM alpine:3.23.3 AS build -RUN apk add --no-cache cosign bash curl jq -COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh - -FROM scratch -COPY --from=build /tmp/trivy/trivy / -ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 4beddbf..9f067ae 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -91,3 +91,6 @@ guard-%: echo "Environment variable $* not set"; \ exit 1; \ fi + +zizmor: + zizmor . diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk index cee440c..ab4c136 100644 --- a/src/base/.devcontainer/Mk/trivy.mk +++ b/src/base/.devcontainer/Mk/trivy.mk @@ -2,97 +2,21 @@ trivy-license-check: echo "Not implemented" -# mkdir -p .trivy_out/ -# @if [ -f poetry.lock ]; then \ -# poetry self add poetry-plugin-export; \ -# poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \ -# fi -# @if [ -f src/go.sum ]; then \ -# cd src && go mod vendor; \ -# fi -# VIRTUAL_ENV=./.venv/ trivy fs . \ -# --scanners license \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --pkg-types library \ -# --exit-code 1 \ -# --output .trivy_out/license_scan.txt \ -# --format table -# @if [ -f poetry.lock ]; then rm -f requirements.txt; fi -# @if [ -f src/go.sum ]; then rm -rf src/vendor; fi trivy-generate-sbom: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 0 \ -# --output .trivy_out/sbom.cdx.json \ -# --format cyclonedx trivy-scan-python: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \ -# --output .trivy_out/dependency_results_python.txt \ -# --format table trivy-scan-node: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \ -# --output .trivy_out/dependency_results_node.txt \ -# --format table trivy-scan-go: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \ -# --output .trivy_out/dependency_results_go.txt \ -# --format table trivy-scan-java: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \ -# --output .trivy_out/dependency_results_java.txt \ -# --format table trivy-scan-docker: guard-DOCKER_IMAGE echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy image $${DOCKER_IMAGE} \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --exit-code 1 \ -# --pkg-types os,library \ -# --output .trivy_out/dependency_results_docker.txt \ -# --format table diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh deleted file mode 100755 index c49ab97..0000000 --- a/src/base/.devcontainer/scripts/install_trivy.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -DEFAULT_INSTALL_DIR="/usr/local/bin" -INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" -VERSION="${VERSION:-v0.69.3}" -DEFAULT_ARCH="64bit" -ARCH="${ARCH:-$DEFAULT_ARCH}" -RELEASE_NUMBER="${VERSION#v}" -BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}" -ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz" -BUNDLE="${ARCHIVE}.sigstore.json" -CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}" - -usage() { - cat <<'EOF' -Usage: install_trivy.sh - -Downloads the Trivy archive and its sigstore bundle to a temporary directory, -verifies the sigstore bundle following -https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md, -and installs the trivy binary into INSTALL_DIR (default: /usr/local/bin). - -Environment variables: - INSTALL_DIR Directory to install the trivy binary into (default: /usr/local/bin) - VERSION Trivy version tag to install (default: v0.69.3) - ARCH Architecture suffix used in the download (default: 64bit) -EOF -} - -if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then - usage - exit 0 -fi - -for cmd in curl cosign; do - if ! command -v "$cmd" >/dev/null 2>&1; then - echo "Error: $cmd is required but not found in PATH" >&2 - exit 1 - fi -done - -TMP_DIR="$(mktemp -d)" -trap 'rm -rf "$TMP_DIR"' EXIT - -download() { - local url="${1}" dest="${2}" - echo "Downloading ${dest} ..." - curl -fsSL "${url}" -o "${dest}" -} -ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}" -BUNDLE_PATH="${TMP_DIR}/${BUNDLE}" -download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}" -download "${BASE_URL}/${BUNDLE}" "${BUNDLE_PATH}" - - -cosign verify-blob-attestation "${ARCHIVE_PATH}" \ - --bundle "${BUNDLE_PATH}" \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity "${CERT_IDENTITY}" - -echo "Sigstore verification passed" -tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}" - -mkdir -p "$INSTALL_DIR" -install -m 0755 "$TMP_DIR/trivy" "${INSTALL_DIR}/trivy" - -echo "trivy ${VERSION} installed to ${INSTALL_DIR}" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index b1b66de..0d3c07f 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -18,12 +18,13 @@ asdf plugin add direnv asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git -asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git +asdf plugin add rust https://github.com/asdf-community/asdf-rust.git # install cfn-guard curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh # install base asdf versions of common tools cd /home/vscode -asdf install +RUST_WITHOUT=rust-docs asdf install +cargo install --locked zizmor@1.23.1 diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/base/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml deleted file mode 100644 index 48343ee..0000000 --- a/src/base/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/base_node/node_24/trivy.yaml b/src/base_node/node_24/trivy.yaml deleted file mode 100644 index 20e8f24..0000000 --- a/src/base_node/node_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base_node/node_24/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml deleted file mode 100644 index 2fa09b9..0000000 --- a/src/common/.trivyignore.yaml +++ /dev/null @@ -1,441 +0,0 @@ -vulnerabilities: - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-23111 - statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-61594 - statement: "uri: URI module: Credential exposure via URI + operator" - purls: - - "pkg:gem/uri@0.13.0" - expired_at: 2026-08-26 - - id: CVE-2026-26007 - statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" - purls: - - "pkg:pypi/cryptography@46.0.3" - expired_at: 2026-08-12 - - id: CVE-2024-49761 - statement: "rexml: REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "During session resumption in crypto/tls, if the underlying Config has ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61726 - statement: "golang: net/url: Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61728 - statement: "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61730 - statement: "During the TLS 1.3 handshake if multiple messages are sent in records ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-47907 - statement: "database/sql: Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-58183 - statement: "golang: archive/tar: Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-61729 - statement: "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-08-12 - - id: CVE-2023-24538 - statement: "golang: html/template: backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24540 - statement: "golang: html/template: improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-24790 - statement: "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-24675 - statement: "golang: encoding/pem: fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-27664 - statement: "golang: net/http: handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28131 - statement: "golang: encoding/xml: stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28327 - statement: "golang: crypto/elliptic: panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2879 - statement: "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2880 - statement: "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30580 - statement: "golang: os/exec: Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30630 - statement: "golang: io/fs: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30631 - statement: "golang: compress/gzip: stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30632 - statement: "golang: path/filepath: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30633 - statement: "golang: encoding/xml: stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30635 - statement: "golang: encoding/gob: stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-32189 - statement: "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41715 - statement: "golang: regexp/syntax: limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41720 - statement: "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41722 - statement: "golang: path/filepath: path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41724 - statement: "golang: crypto/tls: large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41725 - statement: "golang: net/http, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24534 - statement: "golang: net/http, net/textproto: denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24536 - statement: "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24537 - statement: "golang: go/parser: Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24539 - statement: "golang: html/template: improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29400 - statement: "golang: html/template: improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29403 - statement: "golang: runtime: unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-39325 - statement: "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a \\??\\ prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45287 - statement: "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45288 - statement: "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-34156 - statement: "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd: containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-08-12 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "crypto/tls: Unexpected session resumption in crypto/tls" - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-08-13 - - id: CVE-2025-15558 - statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries" - purls: - - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible" - - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible" - - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible" - expired_at: 2026-09-09 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0" - expired_at: 2026-09-09 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - - "pkg:golang/stdlib@v1.25.7" - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - - "pkg:golang/stdlib@v1.25.7" - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-27137 - statement: "When verifying a certificate chain which contains a certificate contai ..." - purls: - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" - expired_at: 2026-09-16 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2026-33186 - statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" - purls: - - "pkg:golang/google.golang.org/grpc@v1.74.2" - - "pkg:golang/google.golang.org/grpc@v1.78.0" - - "pkg:golang/google.golang.org/grpc@v1.79.2" - expired_at: 2026-09-20 diff --git a/src/languages/node_24_python_3_10/.trivyignore.yaml b/src/languages/node_24_python_3_10/.trivyignore.yaml deleted file mode 100644 index dfaba04..0000000 --- a/src/languages/node_24_python_3_10/.trivyignore.yaml +++ /dev/null @@ -1,16 +0,0 @@ -vulnerabilities: - - id: CVE-2022-40897 - statement: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2024-6345 - statement: "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2025-47273 - statement: "setuptools: Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_10/trivy.yaml b/src/languages/node_24_python_3_10/trivy.yaml deleted file mode 100644 index 549851b..0000000 --- a/src/languages/node_24_python_3_10/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_10/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_12/.trivyignore.yaml b/src/languages/node_24_python_3_12/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_12/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_12/trivy.yaml b/src/languages/node_24_python_3_12/trivy.yaml deleted file mode 100644 index 48cfe23..0000000 --- a/src/languages/node_24_python_3_12/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_12/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_13/.trivyignore.yaml b/src/languages/node_24_python_3_13/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_13/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_13/trivy.yaml b/src/languages/node_24_python_3_13/trivy.yaml deleted file mode 100644 index 6af84d8..0000000 --- a/src/languages/node_24_python_3_13/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_14/.trivyignore.yaml b/src/languages/node_24_python_3_14/.trivyignore.yaml deleted file mode 100644 index 8799951..0000000 --- a/src/languages/node_24_python_3_14/.trivyignore.yaml +++ /dev/null @@ -1,11 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_14/trivy.yaml b/src/languages/node_24_python_3_14/trivy.yaml deleted file mode 100644 index e786be4..0000000 --- a/src/languages/node_24_python_3_14/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_14/.trivyignore_combined.yaml" diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml deleted file mode 100644 index 6fa00f4..0000000 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ /dev/null @@ -1,117 +0,0 @@ -vulnerabilities: - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" - expired_at: 2026-09-10 - - id: CVE-2026-33186 - statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" - purls: - - "pkg:golang/google.golang.org/grpc@v1.69.4" - expired_at: 2026-09-20 diff --git a/src/projects/eps-storage-terraform/trivy.yaml b/src/projects/eps-storage-terraform/trivy.yaml deleted file mode 100644 index 06fd4b7..0000000 --- a/src/projects/eps-storage-terraform/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/eps-storage-terraform/.trivyignore_combined.yaml" diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml deleted file mode 100644 index 3c4b5c4..0000000 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ /dev/null @@ -1,51 +0,0 @@ -vulnerabilities: - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 diff --git a/src/projects/fhir_facade_api/trivy.yaml b/src/projects/fhir_facade_api/trivy.yaml deleted file mode 100644 index 1d8a75c..0000000 --- a/src/projects/fhir_facade_api/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/fhir_facade_api/.trivyignore_combined.yaml" diff --git a/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml deleted file mode 100644 index 93088a1..0000000 --- a/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml +++ /dev/null @@ -1,21 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.24.13" - expired_at: 2026-09-11 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.24.13" - expired_at: 2026-09-11 diff --git a/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml b/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml deleted file mode 100644 index 1af5385..0000000 --- a/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/node_24_python_3_14_golang_1_24/.trivyignore_combined.yaml" diff --git a/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml deleted file mode 100644 index 8799951..0000000 --- a/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml +++ /dev/null @@ -1,11 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 diff --git a/src/projects/node_24_python_3_14_java_24/trivy.yaml b/src/projects/node_24_python_3_14_java_24/trivy.yaml deleted file mode 100644 index b4277c5..0000000 --- a/src/projects/node_24_python_3_14_java_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/node_24_python_3_14_java_24/.trivyignore_combined.yaml" diff --git a/src/projects/regression_tests/.trivyignore.yaml b/src/projects/regression_tests/.trivyignore.yaml deleted file mode 100644 index 6abd994..0000000 --- a/src/projects/regression_tests/.trivyignore.yaml +++ /dev/null @@ -1,75 +0,0 @@ -vulnerabilities: - - id: GHSA-72hv-8253-57qq - statement: "jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition" - purls: - - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.0" - expired_at: 2026-09-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-09-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-09-12 - - id: CVE-2026-26996 - statement: "minimatch: minimatch: Denial of Service via specially crafted glob patterns" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-27903 - statement: "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-27904 - statement: "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-26960 - statement: "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-29786 - statement: "node-tar: hardlink path traversal via drive-relative linkpath" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-31802 - statement: "node-tar Symlink Path Traversal via Drive-Relative Linkpath" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-09-12 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-09-12 diff --git a/src/projects/regression_tests/trivy.yaml b/src/projects/regression_tests/trivy.yaml deleted file mode 100644 index 3d3a40c..0000000 --- a/src/projects/regression_tests/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/regression_tests/.trivyignore_combined.yaml" diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index eb24337..0000000 --- a/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: ".trivyignore.yaml" From 2e3d943d2c620ca9b3c6d6cdf1596f9264ee5276 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 10:13:59 +0000 Subject: [PATCH 02/29] fix Makefile --- src/base/.devcontainer/Mk/check.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 9f067ae..679bc4b 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -1,4 +1,4 @@ -.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform +.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform zizmor lint: echo "Not implemented" exit 1 From 3afa9b6a7bffd5d7c6ba69dc61f40778d70c8d74 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 10:22:25 +0000 Subject: [PATCH 03/29] install zizmor using pypi --- src/base/.devcontainer/.tool-versions | 1 - src/base/.devcontainer/scripts/vscode_install.sh | 3 +-- .../.devcontainer/scripts/vscode_install.sh | 1 + .../.devcontainer/scripts/vscode_install.sh | 3 ++- .../.devcontainer/scripts/vscode_install.sh | 3 ++- .../.devcontainer/scripts/vscode_install.sh | 3 ++- 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index 198f81c..7aaf5f8 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -3,4 +3,3 @@ direnv 2.37.1 actionlint 1.7.11 ruby 3.3.0 yq 4.52.4 -rust 1.94.0 diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 0d3c07f..b0b4fb1 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -26,5 +26,4 @@ curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloud # install base asdf versions of common tools cd /home/vscode -RUST_WITHOUT=rust-docs asdf install -cargo install --locked zizmor@1.23.1 +asdf install diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh index f13cedf..ee2a7a3 100755 --- a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh @@ -6,3 +6,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install +pip install --user zizmor@1.23.1 diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh index 2ef142b..d4f04f2 100755 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -8,4 +8,5 @@ asdf install python asdf install # install cfn-lint -pip install --user cfn-lint +pip install --user cfn-lint@1.47.1 +pip install --user zizmor@1.23.1 diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh index 2ef142b..d4f04f2 100755 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -8,4 +8,5 @@ asdf install python asdf install # install cfn-lint -pip install --user cfn-lint +pip install --user cfn-lint@1.47.1 +pip install --user zizmor@1.23.1 diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh index 2ef142b..d4f04f2 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -8,4 +8,5 @@ asdf install python asdf install # install cfn-lint -pip install --user cfn-lint +pip install --user cfn-lint@1.47.1 +pip install --user zizmor@1.23.1 From 07b4ad21d0c2100f4cadd5dc5d76fcae367990a7 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 11:37:13 +0000 Subject: [PATCH 04/29] use requirements file --- src/common_node_24/Dockerfile | 2 ++ .../.devcontainer/scripts/requirements-user.txt | 1 + .../.devcontainer/scripts/vscode_install.sh | 4 +++- .../.devcontainer/scripts/requirements-user.txt | 2 ++ .../.devcontainer/scripts/vscode_install.sh | 5 ++--- .../.devcontainer/scripts/requirements-user.txt | 2 ++ .../.devcontainer/scripts/vscode_install.sh | 5 ++--- .../.devcontainer/scripts/requirements-user.txt | 2 ++ .../.devcontainer/scripts/vscode_install.sh | 5 ++--- 9 files changed, 18 insertions(+), 10 deletions(-) create mode 100644 src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt create mode 100644 src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt create mode 100644 src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt create mode 100644 src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt diff --git a/src/common_node_24/Dockerfile b/src/common_node_24/Dockerfile index 9227065..7e3aa83 100644 --- a/src/common_node_24/Dockerfile +++ b/src/common_node_24/Dockerfile @@ -21,6 +21,8 @@ WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh +# use glob pattern to copy requirements-user.txt if it exists, to avoid build failure if it doesn't +COPY scripts/requirements-user.tx[t] ${SCRIPTS_DIR}/${CONTAINER_NAME}/requirements-user.txt USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..37e7b2f --- /dev/null +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1 @@ +zizmor==1.23.1 diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh index ee2a7a3..a82f26f 100755 --- a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh @@ -1,9 +1,11 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -pip install --user zizmor@1.23.1 + +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh index d4f04f2..a82f26f 100755 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,6 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint@1.47.1 -pip install --user zizmor@1.23.1 +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh index d4f04f2..a82f26f 100755 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,6 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint@1.47.1 -pip install --user zizmor@1.23.1 +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh index d4f04f2..a82f26f 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,6 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint@1.47.1 -pip install --user zizmor@1.23.1 +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" From 3410a721f13d13d365d7a4091cc710038b2a1b99 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 11:47:20 +0000 Subject: [PATCH 05/29] update following feedback --- README.md | 4 ++-- src/base/.devcontainer/scripts/vscode_install.sh | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c19dd83..2286fab 100644 --- a/README.md +++ b/README.md @@ -46,8 +46,8 @@ asdf install and setup for these so they are available globally as vscode user - ruby (for GitHub Pages) - yq -Install and setup git-secrets -Install [zizmor](https://github.com/zizmorcore/zizmor) +Install and setup git-secrets. +Install [zizmor](https://github.com/zizmorcore/zizmor). # Using the images ## Project setup diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index b0b4fb1..e14f35a 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -19,7 +19,6 @@ asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git -asdf plugin add rust https://github.com/asdf-community/asdf-rust.git # install cfn-guard curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh From cd72fa6354f5dced1e8b1cfbebb3daceb496b5ae Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 12:50:45 +0000 Subject: [PATCH 06/29] use later java --- src/projects/fhir_facade_api/.devcontainer/.tool-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/projects/fhir_facade_api/.devcontainer/.tool-versions b/src/projects/fhir_facade_api/.devcontainer/.tool-versions index af19266..2675179 100644 --- a/src/projects/fhir_facade_api/.devcontainer/.tool-versions +++ b/src/projects/fhir_facade_api/.devcontainer/.tool-versions @@ -1 +1 @@ -java openjdk-20 +java openjdk-20.0.2 From 8c2f0a06307aabe6478624877e5630e338d9cf16 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 13:15:59 +0000 Subject: [PATCH 07/29] add description of zizmor target --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2286fab..1f6183e 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,7 @@ Check targets (`check.mk`) - `actionlint` - runs actionlint against GitHub Actions - `secret-scan` - runs git-secrets (including scanning history) against the repository - `guard-` - checks if an environment variable is set and errors if it is not +- `zizmor` runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions Credentials targets (`credentials.mk`) - `aws-configure` - configures an AWS SSO session From 5dbf583cd767e5ab484dfd82ffa3b8d3ad427f1a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 14:57:28 +0000 Subject: [PATCH 08/29] add syft and grype --- .github/workflows/build_multi_arch_image.yml | 55 ++++++------ Makefile | 19 +++- src/base/.devcontainer/Dockerfile | 5 ++ src/base/.devcontainer/Dockerfile.grype | 16 ++++ src/base/.devcontainer/Dockerfile.syft | 16 ++++ .../scripts/install_anchore_tool.sh | 90 +++++++++++++++++++ 6 files changed, 170 insertions(+), 31 deletions(-) create mode 100644 src/base/.devcontainer/Dockerfile.grype create mode 100644 src/base/.devcontainer/Dockerfile.syft create mode 100755 src/base/.devcontainer/scripts/install_anchore_tool.sh diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 269408f..ed4fdc7 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -67,7 +67,12 @@ jobs: uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: node-version: '24.14.0' - + - name: setup syft and grype + run: | + mkdir -p "$RUNNER_TEMP/bin" + docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.syft" src/base/.devcontainer/ + docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.grype" src/base/.devcontainer/ + echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" - name: make install run: | make install-node @@ -92,32 +97,28 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' BASE_FOLDER: "${{ inputs.base_folder }}" IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - EXIT_CODE: 0 - EXTRA_COMMON: "${{ inputs.extra_common }}" - # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - # name: Upload scan results - # with: - # name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" - # path: .out/scan_results_docker.json - # - name: Check docker vulnerabilities - table output - # run: | - # make scan-image - # env: - # CONTAINER_NAME: '${{ inputs.container_name }}' - # BASE_FOLDER: "${{ inputs.base_folder }}" - # IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - # EXIT_CODE: "1" - # EXTRA_COMMON: "${{ inputs.extra_common }}" - # - name: Show docker vulnerability output - # if: always() - # run: | - # echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - # if [ -f .out/scan_results_docker.txt ]; then - # cat .out/scan_results_docker.txt - # fi - # env: - # ARCHITECTURE: '${{ matrix.arch }}' - # DOCKER_TAG: '${{ inputs.docker_tag }}' + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + name: Upload scan results + with: + name: "grype_${{ inputs.container_name }}_${{ matrix.arch }}.json" + path: .grype_out/grype_${{ inputs.container_name }}_${{ matrix.arch }}.json + - name: Check docker vulnerabilities - text output + run: | + make scan-image + env: + CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_FOLDER: "${{ inputs.base_folder }}" + IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" + - name: Show docker vulnerability output + if: always() + run: | + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" + if [ -f .out/scan_results_docker.txt ]; then + cat .out/scan_results_docker.txt + fi + env: + ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image and rebuild for github actions run: | echo "Pushing image..." diff --git a/Makefile b/Makefile index a316f6c..7d340fb 100644 --- a/Makefile +++ b/Makefile @@ -64,7 +64,12 @@ build-all: build-base-image build-node-24-image build-node-24-python-3-10-image build-eps-storage-terraform-image build-eps-data-extract-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \ build-regression-tests-image -build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG +build-syft: + docker build -f src/base/.devcontainer/Dockerfile.syft --tag local_syft src/base/.devcontainer/ +build-grype: + docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype src/base/.devcontainer/ + +build-image: build-syft build-grype guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ $(NO_CACHE_FLAG) \ @@ -83,11 +88,17 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG -t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \ . -scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER - echo "Not implemented" +scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG + grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ + --scope all-layers \ + --sort-by severity scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG - echo "Not implemented" + grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ + --scope all-layers \ + --output json \ + --file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.json" \ + --sort-by severity shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 695595f..efdc18f 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,3 +1,5 @@ +FROM local_syft AS syft-build +FROM local_grype AS grype-build FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG SCRIPTS_DIR=/usr/local/share/eps @@ -16,6 +18,9 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh +COPY --from=syft-build /syft /usr/local/bin/syft +COPY --from=grype-build /grype /usr/local/bin/grype + COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf diff --git a/src/base/.devcontainer/Dockerfile.grype b/src/base/.devcontainer/Dockerfile.grype new file mode 100644 index 0000000..a502379 --- /dev/null +++ b/src/base/.devcontainer/Dockerfile.grype @@ -0,0 +1,16 @@ +FROM alpine:3.23.3 AS build +ARG TARGETARCH +ARG GRYPE_VERSION="0.110.0" +ENV GRYPE_VERSION=${GRYPE_VERSION} +RUN apk add --no-cache cosign bash curl jq +COPY --chmod=755 scripts/install_anchore_tool.sh /tmp/install_anchore_tool.sh +RUN case "${TARGETARCH}" in \ + x86_64|amd64) ANCHORE_ARCH=amd64 ;; \ + aarch64|arm64) ANCHORE_ARCH=arm64 ;; \ + *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ + esac \ + && INSTALL_DIR=/tmp/anchore/ TOOL=grype ARCH="${ANCHORE_ARCH}" VERSION="${GRYPE_VERSION}" /tmp/install_anchore_tool.sh + +FROM scratch +COPY --from=build /tmp/anchore/grype /grype +ENTRYPOINT ["/grype"] diff --git a/src/base/.devcontainer/Dockerfile.syft b/src/base/.devcontainer/Dockerfile.syft new file mode 100644 index 0000000..7ad118f --- /dev/null +++ b/src/base/.devcontainer/Dockerfile.syft @@ -0,0 +1,16 @@ +FROM alpine:3.23.3 AS build +ARG TARGETARCH +ARG SYFT_VERSION="1.42.3" +ENV SYFT_VERSION=${SYFT_VERSION} +RUN apk add --no-cache cosign bash curl jq +COPY --chmod=755 scripts/install_anchore_tool.sh /tmp/install_anchore_tool.sh +RUN case "${TARGETARCH}" in \ + x86_64|amd64) ANCHORE_ARCH=amd64 ;; \ + aarch64|arm64) ANCHORE_ARCH=arm64 ;; \ + *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ + esac \ + && INSTALL_DIR=/tmp/anchore/ TOOL=syft ARCH="${ANCHORE_ARCH}" VERSION="${SYFT_VERSION}" /tmp/install_anchore_tool.sh + +FROM scratch +COPY --from=build /tmp/anchore/syft /syft +ENTRYPOINT ["/syft"] diff --git a/src/base/.devcontainer/scripts/install_anchore_tool.sh b/src/base/.devcontainer/scripts/install_anchore_tool.sh new file mode 100755 index 0000000..511fff1 --- /dev/null +++ b/src/base/.devcontainer/scripts/install_anchore_tool.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +set -euo pipefail + +DEFAULT_INSTALL_DIR="/usr/local/bin" +INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" +BASE_URL="https://github.com/anchore/${TOOL}/releases/download/v${VERSION}" +ARCHIVE="${TOOL}_${VERSION}_linux_${ARCH}.tar.gz" +CHECKSUMS="${TOOL}_${VERSION}_checksums.txt" +CHECKSUMS_PEM="${TOOL}_${VERSION}_checksums.txt.pem" +CHECKSUMS_SIG="${TOOL}_${VERSION}_checksums.txt.sig" + +if [ -z "$TOOL" ] +then + echo "\$TOOL is NULL" +fi +if [ -z "$ARCH" ] +then + echo "\$ARCH is NULL" +fi +if [ -z "$VERSION" ] +then + echo "\$VERSION is NULL" +fi + +usage() { + cat <<'EOF' +Usage: install_anchore_tool.sh + +Downloads an Anchore tool (syft or grype) archive and its sigstore bundle to a temporary directory, +verifies the sigstore bundle following +https://oss.anchore.com/docs/installation/verification/, +and installs the Anchore tool binary into INSTALL_DIR (default: /usr/local/bin). + +Environment variables: + INSTALL_DIR Directory to install the Anchore tool binary into (default: /usr/local/bin) + VERSION Anchore tool version tag to install + ARCH Architecture suffix used in the download + TOOL Anchore tool name, either "syft" or "grype" +EOF +} + +if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then + usage + exit 0 +fi + +for cmd in curl cosign; do + if ! command -v "$cmd" >/dev/null 2>&1; then + echo "Error: $cmd is required but not found in PATH" >&2 + exit 1 + fi +done + +TMP_DIR="$(mktemp -d)" +trap 'rm -rf "$TMP_DIR"' EXIT + +download() { + local url="${1}" dest="${2}" + echo "Downloading ${dest} from ${url} ..." + curl -fsSL "${url}" -o "${dest}" +} +ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}" +ALL_CHECKSUMS_PATH="${TMP_DIR}/${CHECKSUMS}" +CHECKSUM_PATH="${TMP_DIR}/${ARCHIVE}.sha256sum" +CHECKSUMS_PEM_PATH="${TMP_DIR}/${CHECKSUMS_PEM}" +CHECKSUMS_SIG_PATH="${TMP_DIR}/${CHECKSUMS_SIG}" +download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}" +download "${BASE_URL}/${CHECKSUMS}" "${ALL_CHECKSUMS_PATH}" +download "${BASE_URL}/${CHECKSUMS_PEM}" "${CHECKSUMS_PEM_PATH}" +download "${BASE_URL}/${CHECKSUMS_SIG}" "${CHECKSUMS_SIG_PATH}" + +cosign verify-blob "${ALL_CHECKSUMS_PATH}" \ + --certificate "${CHECKSUMS_PEM_PATH}" \ + --signature "${CHECKSUMS_SIG_PATH}" \ + --certificate-identity-regexp "https://github\.com/anchore/${TOOL}/\.github/workflows/.+" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + +echo "Sigstore verification passed" + +grep "${ARCHIVE}" "${ALL_CHECKSUMS_PATH}" > "${CHECKSUM_PATH}" + +cd "${TMP_DIR}" +sha256sum -c "${CHECKSUM_PATH}" +echo "Checksum verification passed" +tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}" + +mkdir -p "$INSTALL_DIR" +install -m 0755 "$TMP_DIR/${TOOL}" "${INSTALL_DIR}/${TOOL}" + +echo "${TOOL} ${VERSION} installed to ${INSTALL_DIR}" From 7f136ddd3acdfd6c7c5401b18dac9cb634f8bb54 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Thu, 26 Mar 2026 15:06:01 +0000 Subject: [PATCH 09/29] correct path --- .gitignore | 2 +- src/base/.devcontainer/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7c362b6..e8b9796 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,4 @@ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ .envrc -.trivy_out/ +.grype_out/ diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 695595f..29a175e 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -21,7 +21,7 @@ USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions -ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.guard/bin:/home/vscode/.cargo/bin:$PATH" +ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.guard/bin:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh From 4567f4b506e585b7500bd5ec1f1c0b47208acf1a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 27 Mar 2026 10:17:38 +0000 Subject: [PATCH 10/29] wip --- .gitignore | 2 +- Makefile | 8 +- package-lock.json | 563 ++++++++++++++++++ package.json | 4 + scripts/parse_grype_output.ts | 103 ++++ src/base/.devcontainer/Dockerfile | 2 + src/base/.devcontainer/Dockerfile.grant | 16 + src/base/.devcontainer/Mk/check.mk | 20 + .../scripts/install_anchore_tool.sh | 13 - 9 files changed, 714 insertions(+), 17 deletions(-) create mode 100644 scripts/parse_grype_output.ts create mode 100644 src/base/.devcontainer/Dockerfile.grant diff --git a/.gitignore b/.gitignore index e8b9796..a1dbfd6 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,4 @@ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ .envrc -.grype_out/ +.sbom/ diff --git a/Makefile b/Makefile index 7d340fb..6ccfa67 100644 --- a/Makefile +++ b/Makefile @@ -69,7 +69,10 @@ build-syft: build-grype: docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype src/base/.devcontainer/ -build-image: build-syft build-grype guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG +build-grant: + docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant src/base/.devcontainer/ + +build-image: build-syft build-grype build-grant guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG npx devcontainer build \ --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ $(NO_CACHE_FLAG) \ @@ -97,8 +100,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ --scope all-layers \ --output json \ - --file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.json" \ - --sort-by severity + --file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.json" shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ diff --git a/package-lock.json b/package-lock.json index e8e1a35..b8a8515 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,6 +10,10 @@ "license": "ISC", "dependencies": { "@devcontainers/cli": "^0.84.1" + }, + "devDependencies": { + "@types/node": "^25.5.0", + "tsx": "^4.21.0" } }, "node_modules/@devcontainers/cli": { @@ -23,6 +27,565 @@ "engines": { "node": ">=20.0.0" } + }, + "node_modules/@esbuild/aix-ppc64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz", + "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "aix" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz", + "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz", + "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz", + "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz", + "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz", + "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz", + "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz", + "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz", + "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz", + "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ia32": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz", + "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-loong64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz", + "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-mips64el": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz", + "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==", + "cpu": [ + "mips64el" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ppc64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz", + "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-riscv64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz", + "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-s390x": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz", + "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==", + "cpu": [ + "s390x" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz", + "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz", + "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz", + "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz", + "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz", + "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openharmony-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz", + "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openharmony" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/sunos-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz", + "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "sunos" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-arm64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz", + "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-ia32": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz", + "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-x64": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz", + "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@types/node": { + "version": "25.5.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz", + "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~7.18.0" + } + }, + "node_modules/esbuild": { + "version": "0.27.4", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz", + "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "bin": { + "esbuild": "bin/esbuild" + }, + "engines": { + "node": ">=18" + }, + "optionalDependencies": { + "@esbuild/aix-ppc64": "0.27.4", + "@esbuild/android-arm": "0.27.4", + "@esbuild/android-arm64": "0.27.4", + "@esbuild/android-x64": "0.27.4", + "@esbuild/darwin-arm64": "0.27.4", + "@esbuild/darwin-x64": "0.27.4", + "@esbuild/freebsd-arm64": "0.27.4", + "@esbuild/freebsd-x64": "0.27.4", + "@esbuild/linux-arm": "0.27.4", + "@esbuild/linux-arm64": "0.27.4", + "@esbuild/linux-ia32": "0.27.4", + "@esbuild/linux-loong64": "0.27.4", + "@esbuild/linux-mips64el": "0.27.4", + "@esbuild/linux-ppc64": "0.27.4", + "@esbuild/linux-riscv64": "0.27.4", + "@esbuild/linux-s390x": "0.27.4", + "@esbuild/linux-x64": "0.27.4", + "@esbuild/netbsd-arm64": "0.27.4", + "@esbuild/netbsd-x64": "0.27.4", + "@esbuild/openbsd-arm64": "0.27.4", + "@esbuild/openbsd-x64": "0.27.4", + "@esbuild/openharmony-arm64": "0.27.4", + "@esbuild/sunos-x64": "0.27.4", + "@esbuild/win32-arm64": "0.27.4", + "@esbuild/win32-ia32": "0.27.4", + "@esbuild/win32-x64": "0.27.4" + } + }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/get-tsconfig": { + "version": "4.13.7", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz", + "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "resolve-pkg-maps": "^1.0.0" + }, + "funding": { + "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" + } + }, + "node_modules/resolve-pkg-maps": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", + "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" + } + }, + "node_modules/tsx": { + "version": "4.21.0", + "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz", + "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==", + "dev": true, + "license": "MIT", + "dependencies": { + "esbuild": "~0.27.0", + "get-tsconfig": "^4.7.5" + }, + "bin": { + "tsx": "dist/cli.mjs" + }, + "engines": { + "node": ">=18.0.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.3" + } + }, + "node_modules/undici-types": { + "version": "7.18.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz", + "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==", + "dev": true, + "license": "MIT" } } } diff --git a/package.json b/package.json index 43f5056..48d4dd8 100644 --- a/package.json +++ b/package.json @@ -10,5 +10,9 @@ "description": "", "dependencies": { "@devcontainers/cli": "^0.84.1" + }, + "devDependencies": { + "@types/node": "^25.5.0", + "tsx": "^4.21.0" } } diff --git a/scripts/parse_grype_output.ts b/scripts/parse_grype_output.ts new file mode 100644 index 0000000..4d0ab12 --- /dev/null +++ b/scripts/parse_grype_output.ts @@ -0,0 +1,103 @@ +import { readFileSync } from 'node:fs'; +import { resolve } from 'node:path'; + +type JsonValue = + | string + | number + | boolean + | null + | JsonValue[] + | { [key: string]: JsonValue }; + +type JsonObject = { [key: string]: JsonValue }; + +const CRITICAL_SEVERITIES = new Set(['CRITICAL', 'HIGH']); + +const [, , filePath] = process.argv; + +if (!filePath) { + console.error('Usage: tsx scripts/parse_grype_output.ts '); + process.exit(1); +} + +const resolvedPath = resolve(filePath); + +function loadJsonFile(pathToFile: string): JsonValue { + const contents = readFileSync(pathToFile, 'utf8'); + return JSON.parse(contents) as JsonValue; +} + +let parsedJson: JsonValue; + +try { + parsedJson = loadJsonFile(resolvedPath); +} catch (error) { + console.error(`Failed to read or parse JSON file at ${resolvedPath}`); + console.error(error); + process.exit(1); +} + +function isJsonObject(value: JsonValue | undefined): value is JsonObject { + return typeof value === 'object' && value !== null && !Array.isArray(value); +} + +function asString(value: JsonValue | undefined): string | undefined { + return typeof value === 'string' ? value : undefined; +} + +if (!isJsonObject(parsedJson)) { + console.error('Unexpected JSON structure: root element is not an object.'); + process.exit(1); +} + +const matchesValue = parsedJson.matches; + +if (!Array.isArray(matchesValue)) { + console.error('Unexpected JSON structure: "matches" is missing or not an array.'); + process.exit(1); +} + +let matchCount = 0; + +for (const entry of matchesValue) { + if (!isJsonObject(entry)) { + continue; + } + + const vulnerability = isJsonObject(entry.vulnerability) ? entry.vulnerability : undefined; + const severity = asString(vulnerability?.severity)?.toUpperCase(); + + if (!severity || !CRITICAL_SEVERITIES.has(severity)) { + continue; + } + + matchCount += 1; + const vulnerabilityId = asString(vulnerability?.id) ?? 'Unknown ID'; + const vulnerabilityDescription = + asString(vulnerability?.description) ?? 'No description provided.'; + + const artifact = isJsonObject(entry.artifact) ? entry.artifact : undefined; + const locationsValue = artifact?.locations; + + const resolvedPaths = Array.isArray(locationsValue) + ? locationsValue + .map((location) => + isJsonObject(location) ? asString(location.path) ?? '(missing path)' : undefined, + ) + .filter((path): path is string => typeof path === 'string') + : []; + + const pathsToPrint = resolvedPaths.length > 0 ? resolvedPaths : ['(no locations provided)']; + + console.log('---'); + console.log(`vulnerability.id: ${vulnerabilityId}`); + console.log(`vulnerability.description: ${vulnerabilityDescription}`); + console.log('artifact.locations[*].path:'); + for (const path of pathsToPrint) { + console.log(` - ${path}`); + } +} + +if (matchCount === 0) { + console.log('No Critical or High severity matches found.'); +} diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 5be09fd..b69a1f6 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,5 +1,6 @@ FROM local_syft AS syft-build FROM local_grype AS grype-build +FROM local_grant AS grant-build FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG SCRIPTS_DIR=/usr/local/share/eps @@ -20,6 +21,7 @@ RUN ./root_install.sh COPY --from=syft-build /syft /usr/local/bin/syft COPY --from=grype-build /grype /usr/local/bin/grype +COPY --from=grant-build /grant /usr/local/bin/grant COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode diff --git a/src/base/.devcontainer/Dockerfile.grant b/src/base/.devcontainer/Dockerfile.grant new file mode 100644 index 0000000..382491e --- /dev/null +++ b/src/base/.devcontainer/Dockerfile.grant @@ -0,0 +1,16 @@ +FROM alpine:3.23.3 AS build +ARG TARGETARCH +ARG GRANT_VERSION="0.6.4" +ENV GRANT_VERSION=${GRANT_VERSION} +RUN apk add --no-cache cosign bash curl jq +COPY --chmod=755 scripts/install_anchore_tool.sh /tmp/install_anchore_tool.sh +RUN case "${TARGETARCH}" in \ + x86_64|amd64) ANCHORE_ARCH=amd64 ;; \ + aarch64|arm64) ANCHORE_ARCH=arm64 ;; \ + *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ + esac \ + && INSTALL_DIR=/tmp/anchore/ TOOL=grant ARCH="${ANCHORE_ARCH}" VERSION="${GRANT_VERSION}" /tmp/install_anchore_tool.sh + +FROM scratch +COPY --from=build /tmp/anchore/grant /grant +ENTRYPOINT ["/grant"] diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 679bc4b..94705ab 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -94,3 +94,23 @@ guard-%: zizmor: zizmor . + +generate-sbom: + syft \ + --output cyclonedx-json=.sbom/sbom.cdx.json \ + dir:./ + +generate-sbom-dev-deps: + SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true syft \ + --output cyclonedx-json=.sbom/sbom.dev.cdx.json \ + dir:./ + +grype-scan: generate-sbom + grype .sbom/sbom.cdx.json \ + --output json=".sbom/grype_analysis.json" + +grant-scan: generate-sbom + grant check .sbom/sbom.cdx.json \ + --output json \ + --quiet \ + --output-file ".sbom/grant_analysis.json" diff --git a/src/base/.devcontainer/scripts/install_anchore_tool.sh b/src/base/.devcontainer/scripts/install_anchore_tool.sh index 511fff1..3c56bde 100755 --- a/src/base/.devcontainer/scripts/install_anchore_tool.sh +++ b/src/base/.devcontainer/scripts/install_anchore_tool.sh @@ -9,19 +9,6 @@ CHECKSUMS="${TOOL}_${VERSION}_checksums.txt" CHECKSUMS_PEM="${TOOL}_${VERSION}_checksums.txt.pem" CHECKSUMS_SIG="${TOOL}_${VERSION}_checksums.txt.sig" -if [ -z "$TOOL" ] -then - echo "\$TOOL is NULL" -fi -if [ -z "$ARCH" ] -then - echo "\$ARCH is NULL" -fi -if [ -z "$VERSION" ] -then - echo "\$VERSION is NULL" -fi - usage() { cat <<'EOF' Usage: install_anchore_tool.sh From d7ffa26bc24d78cf9cc4e451a04e02589469e476 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 09:52:51 +0000 Subject: [PATCH 11/29] only run post* scripts once --- .devcontainer/devcontainer.json | 3 --- src/base/.devcontainer/scripts/lifecycle/post_attach.sh | 2 ++ src/base/.devcontainer/scripts/lifecycle/post_create.sh | 3 +++ src/base/.devcontainer/scripts/lifecycle/post_start.sh | 2 ++ src/base_node/node_24/.devcontainer/devcontainer.json | 3 --- .../node_24_python_3_10/.devcontainer/devcontainer.json | 3 --- .../node_24_python_3_12/.devcontainer/devcontainer.json | 3 --- .../node_24_python_3_13/.devcontainer/devcontainer.json | 3 --- .../node_24_python_3_14/.devcontainer/devcontainer.json | 3 --- src/projects/eps-data-extract/.devcontainer/devcontainer.json | 3 --- .../eps-storage-terraform/.devcontainer/devcontainer.json | 3 --- src/projects/fhir_facade_api/.devcontainer/devcontainer.json | 3 --- .../.devcontainer/devcontainer.json | 3 --- .../.devcontainer/devcontainer.json | 3 --- src/projects/regression_tests/.devcontainer/devcontainer.json | 3 --- 15 files changed, 7 insertions(+), 36 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2232f7e..bd590a8 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -22,9 +22,6 @@ "--network=host" ], "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": { }, "customizations": { diff --git a/src/base/.devcontainer/scripts/lifecycle/post_attach.sh b/src/base/.devcontainer/scripts/lifecycle/post_attach.sh index 6fe214c..a3dd07d 100755 --- a/src/base/.devcontainer/scripts/lifecycle/post_attach.sh +++ b/src/base/.devcontainer/scripts/lifecycle/post_attach.sh @@ -2,4 +2,6 @@ # Script to run as devcontainer postAttachCommand set -euo pipefail +echo "Running common post-attach script" + # currently empty diff --git a/src/base/.devcontainer/scripts/lifecycle/post_create.sh b/src/base/.devcontainer/scripts/lifecycle/post_create.sh index 13c7512..27a71f1 100755 --- a/src/base/.devcontainer/scripts/lifecycle/post_create.sh +++ b/src/base/.devcontainer/scripts/lifecycle/post_create.sh @@ -2,6 +2,9 @@ # Script to run as devcontainer postCreateCommand set -euo pipefail +echo "Running common post-create script" + + # Install git-secrets, register AWS patterns and NHS rules in an idempotent way if ! git config --get-all secrets.patterns | grep -Fq AKIA; then git-secrets --register-aws diff --git a/src/base/.devcontainer/scripts/lifecycle/post_start.sh b/src/base/.devcontainer/scripts/lifecycle/post_start.sh index 63dbbc0..f7dfaa3 100755 --- a/src/base/.devcontainer/scripts/lifecycle/post_start.sh +++ b/src/base/.devcontainer/scripts/lifecycle/post_start.sh @@ -2,4 +2,6 @@ # Script to run as devcontainer postStartCommand set -euo pipefail +echo "Running common post-start script" + # currently empty diff --git a/src/base_node/node_24/.devcontainer/devcontainer.json b/src/base_node/node_24/.devcontainer/devcontainer.json index c14ec52..90d861a 100644 --- a/src/base_node/node_24/.devcontainer/devcontainer.json +++ b/src/base_node/node_24/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json index 3e8304b..a810718 100644 --- a/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_10/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json index 95b9ffb..0ac0328 100644 --- a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json index 95b9ffb..0ac0328 100644 --- a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json index 01708ae..8580944 100644 --- a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/eps-data-extract/.devcontainer/devcontainer.json b/src/projects/eps-data-extract/.devcontainer/devcontainer.json index bfcb365..8b10457 100644 --- a/src/projects/eps-data-extract/.devcontainer/devcontainer.json +++ b/src/projects/eps-data-extract/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json index 9c56e49..95c0a22 100644 --- a/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json +++ b/src/projects/eps-storage-terraform/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json index 9c56e49..95c0a22 100644 --- a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json index 67e5a9b..e84c9ef 100644 --- a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json +++ b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json index 2a6b023..65abfbe 100644 --- a/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json +++ b/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } diff --git a/src/projects/regression_tests/.devcontainer/devcontainer.json b/src/projects/regression_tests/.devcontainer/devcontainer.json index 9c56e49..95c0a22 100644 --- a/src/projects/regression_tests/.devcontainer/devcontainer.json +++ b/src/projects/regression_tests/.devcontainer/devcontainer.json @@ -13,9 +13,6 @@ }, "context": "." }, - "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh", - "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh", - "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh", "features": {} } From 55578d92db4bc5e9e517c0effbd2e11d0da1aef3 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 09:56:48 +0000 Subject: [PATCH 12/29] add dependabot cooldown --- .github/dependabot.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a87436..5d07868 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,7 +16,8 @@ updates: open-pull-requests-limit: 20 commit-message: prefix: "Upgrade: [dependabot] - " - + cooldown: + default-days: 7 ################################### # NPM workspace ################## ################################### @@ -30,6 +31,8 @@ updates: versioning-strategy: increase commit-message: prefix: "Upgrade: [dependabot] - " + cooldown: + default-days: 7 ################################### # Poetry ######################### @@ -44,3 +47,5 @@ updates: versioning-strategy: increase commit-message: prefix: "Upgrade: [dependabot] - " + cooldown: + default-days: 7 From f4bcfdced7d04bf6858c5786569639e640e42bc6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 09:59:58 +0000 Subject: [PATCH 13/29] fix workflows --- .github/workflows/build_all_images.yml | 5 +++-- .github/workflows/build_multi_arch_image.yml | 2 ++ .github/workflows/ci.yml | 2 +- .github/workflows/delete_old_images.yml | 3 ++- .github/workflows/pull_request.yml | 5 ++--- .github/workflows/release.yml | 1 + 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index fe3279a..719088d 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -11,8 +11,7 @@ name: build_all_images NO_CACHE: required: true type: boolean -env: - BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +permissions: {} jobs: discover_folders: runs-on: ubuntu-latest @@ -22,6 +21,8 @@ jobs: project_folders: ${{ steps.find-folders.outputs.projects }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - id: find-folders run: | diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index ed4fdc7..6fe8d8d 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -20,6 +20,7 @@ name: Build and push docker image EXTRA_COMMON: required: false type: string +permissions: {} jobs: build_and_push_image: @@ -63,6 +64,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 + persist-credentials: false - name: setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eaa03c1..fef84d9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: merge to main workflow on: push: branches: [main] +permissions: {} jobs: get_config_values: @@ -27,7 +28,6 @@ jobs: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: main tag_format: ${{ needs.get_config_values.outputs.tag_format }} - secrets: inherit build_all_images: needs: - tag_release diff --git a/.github/workflows/delete_old_images.yml b/.github/workflows/delete_old_images.yml index 96438b5..9e72b3f 100644 --- a/.github/workflows/delete_old_images.yml +++ b/.github/workflows/delete_old_images.yml @@ -7,6 +7,7 @@ on: - cron: "0 1 * * 6" push: branches: [main] +permissions: {} jobs: delete-old-pushed-images: @@ -21,8 +22,8 @@ jobs: - name: Checkout local code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 + persist-credentials: false - name: delete unused images shell: bash diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index e98ebb5..db2f526 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -3,8 +3,7 @@ name: pull_request pull_request: branches: - main -env: - BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +permissions: {} jobs: dependabot-auto-approve-and-merge: needs: quality_checks @@ -63,7 +62,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: '${{ env.BRANCH_NAME }}' + persist-credentials: false - name: Get Commit ID id: commit_id run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d74f451..4f0cd1d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,7 @@ on: workflow_dispatch: schedule: - cron: "0 18 * * 3" +permissions: {} jobs: get_config_values: From d982d9fcf64a351e8009836a0a48ff9abcf3d295 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 10:01:58 +0000 Subject: [PATCH 14/29] explicit permissions --- .github/workflows/pull_request.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index db2f526..a928e34 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -7,8 +7,10 @@ permissions: {} jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: >- - NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 + permissions: + contents: write + pull-requests: write secrets: AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' From 30b51665af8ebc132c9b39328a8fcace72aff5bc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 10:03:27 +0000 Subject: [PATCH 15/29] explicit permissions --- .github/workflows/ci.yml | 4 ++++ .github/workflows/pull_request.yml | 4 ++++ .github/workflows/release.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fef84d9..113a41d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ jobs: uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 with: verify_published_from_main_image: true + permissions: + attestations: read + contents: read + packages: read quality_checks: uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 needs: diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a928e34..4f49bdc 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -18,6 +18,10 @@ jobs: uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 with: verify_published_from_main_image: false + permissions: + attestations: read + contents: read + packages: read quality_checks: uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 needs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f0cd1d..622a122 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,10 @@ jobs: uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 with: verify_published_from_main_image: false + permissions: + attestations: read + contents: read + packages: read quality_checks: uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 needs: From 4345bed98b0e12420f62a0bc2ea48d32d70a9092 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 10:04:31 +0000 Subject: [PATCH 16/29] explicit permissions --- .github/workflows/pull_request.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4f49bdc..63ad634 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -31,8 +31,9 @@ jobs: secrets: SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' pr_title_format_check: - uses: >- - NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69 + permissions: + pull-requests: write get_issue_number: runs-on: ubuntu-22.04 needs: quality_checks From e2ebcb3c53c2872b8104e68dd766a92e190d3dba Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 10:07:12 +0000 Subject: [PATCH 17/29] explicit permissions --- .github/workflows/build_all_images.yml | 6 +++++- .github/workflows/ci.yml | 5 +++++ .github/workflows/pull_request.yml | 5 +++++ .github/workflows/release.yml | 5 +++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml index 719088d..8887abd 100644 --- a/.github/workflows/build_all_images.yml +++ b/.github/workflows/build_all_images.yml @@ -11,7 +11,11 @@ name: build_all_images NO_CACHE: required: true type: boolean -permissions: {} +permissions: + attestations: write + contents: read + packages: write + id-token: write jobs: discover_folders: runs-on: ubuntu-latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 113a41d..4fb3b03 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,11 @@ jobs: needs: - tag_release uses: ./.github/workflows/build_all_images.yml + permissions: + attestations: write + contents: read + packages: write + id-token: write with: docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}' tag_latest: false diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 63ad634..8824ae5 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -81,6 +81,11 @@ jobs: - get_issue_number - get_commit_id uses: ./.github/workflows/build_all_images.yml + permissions: + attestations: write + contents: read + packages: write + id-token: write with: docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' tag_latest: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 622a122..32be7f4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,6 +39,11 @@ jobs: needs: - tag_release uses: ./.github/workflows/build_all_images.yml + permissions: + attestations: write + contents: read + packages: write + id-token: write with: docker_tag: '${{ needs.tag_release.outputs.version_tag }}' tag_latest: true From 026d59038df3b213806d11c3981e83e3907dbfe5 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 10:23:17 +0000 Subject: [PATCH 18/29] show vuln output --- .github/workflows/build_multi_arch_image.yml | 5 +++-- Makefile | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 6fe8d8d..50c289b 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -115,10 +115,11 @@ jobs: if: always() run: | echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f .out/scan_results_docker.txt ]; then - cat .out/scan_results_docker.txt + if [ -f ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" ]; then + cat ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" fi env: + CONTAINER_NAME: '${{ inputs.container_name }}' ARCHITECTURE: '${{ matrix.arch }}' DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image and rebuild for github actions diff --git a/Makefile b/Makefile index e0bd305..3bf3537 100644 --- a/Makefile +++ b/Makefile @@ -98,7 +98,8 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ --scope all-layers \ - --sort-by severity + --sort-by severity \ + --file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ From 3ae300e41d2913ec7d27b96d2c893d31f89bd590 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 11:05:51 +0000 Subject: [PATCH 19/29] add grype ignore --- .github/workflows/build_multi_arch_image.yml | 11 -------- .grype.yaml | 29 ++++++++++++++++++++ Makefile | 3 +- 3 files changed, 30 insertions(+), 13 deletions(-) create mode 100644 .grype.yaml diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 50c289b..07b0fc9 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -111,17 +111,6 @@ jobs: CONTAINER_NAME: '${{ inputs.container_name }}' BASE_FOLDER: "${{ inputs.base_folder }}" IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}" - - name: Show docker vulnerability output - if: always() - run: | - echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" - if [ -f ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" ]; then - cat ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" - fi - env: - CONTAINER_NAME: '${{ inputs.container_name }}' - ARCHITECTURE: '${{ matrix.arch }}' - DOCKER_TAG: '${{ inputs.docker_tag }}' - name: Push tagged image and rebuild for github actions run: | echo "Pushing image..." diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..0edae69 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,29 @@ +ignore: + # Ignore specific CVEs + - vulnerability: CVE-2025-4517 + - vulnerability: CVE-2025-68121 + - vulnerability: GHSA-p77j-4mvh-x3m3 + - vulnerability: GHSA-vmwr-mc7x-5vc3 + - vulnerability: CVE-2025-4330 + - vulnerability: CVE-2025-4435 + - vulnerability: CVE-2025-4138 + - vulnerability: CVE-2025-8194 + - vulnerability: CVE-2025-13836 + - vulnerability: CVE-2024-9287 + - vulnerability: CVE-2025-61726 + - vulnerability: CVE-2026-4519 + - vulnerability: CVE-2026-25679 + - vulnerability: CVE-2025-61725 + - vulnerability: CVE-2025-61723 + - vulnerability: CVE-2025-61729 + - vulnerability: GHSA-4vrq-3vrq-g6gg + - vulnerability: CVE-2025-58187 + - vulnerability: CVE-2026-27137 + - vulnerability: CVE-2025-47907 + - vulnerability: CVE-2025-61731 + - vulnerability: GHSA-9h8m-3fm2-qjrq + - vulnerability: CVE-2025-61732 + - vulnerability: GHSA-4c29-8rgm-jvjj + - vulnerability: CVE-2025-58188 + - vulnerability: CVE-2025-4674 + - vulnerability: GHSA-x744-4wpc-v9h2 diff --git a/Makefile b/Makefile index 3bf3537..ea03c3c 100644 --- a/Makefile +++ b/Makefile @@ -94,12 +94,11 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG --load \ -t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \ . - scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ --scope all-layers \ --sort-by severity \ - --file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" + --fail-on high scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \ From 7cb1f52bc7e791eb71e323a46c78b926cf2cfcf6 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 11:53:02 +0000 Subject: [PATCH 20/29] vulns for node 24 --- .grype.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.grype.yaml b/.grype.yaml index 0edae69..22d70cc 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,5 +1,5 @@ ignore: - # Ignore specific CVEs + # base image - vulnerability: CVE-2025-4517 - vulnerability: CVE-2025-68121 - vulnerability: GHSA-p77j-4mvh-x3m3 @@ -27,3 +27,11 @@ ignore: - vulnerability: CVE-2025-58188 - vulnerability: CVE-2025-4674 - vulnerability: GHSA-x744-4wpc-v9h2 +# node_24 vulnerabilities + - vulnerability: GHSA-c2c7-rcm5-vvqj + - vulnerability: GHSA-7r86-cg39-jmmj + - vulnerability: GHSA-3ppc-4f35-3m26 + - vulnerability: GHSA-23c5-xmqv-rm74 + - vulnerability: GHSA-9ppj-qmqm-q256 + - vulnerability: GHSA-qffp-2rhf-9h96 + - vulnerability: GHSA-83g3-92jg-28cx From c7a574f7d574abd0f972224c35272d5606892bbc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 13:49:41 +0000 Subject: [PATCH 21/29] more vulns --- .grype.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index 22d70cc..c64920c 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -35,3 +35,7 @@ ignore: - vulnerability: GHSA-9ppj-qmqm-q256 - vulnerability: GHSA-qffp-2rhf-9h96 - vulnerability: GHSA-83g3-92jg-28cx +# node_24_python_3_10 vulnerabilities + - vulnerability: GHSA-cx63-2mw6-8hw5 + - vulnerability: GHSA-r9hx-vwmv-q579 + - vulnerability: GHSA-5rjg-fvgr-3xxf From 3b8f045bd3058103808f9d45fc1bbf415221bafa Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 16:10:33 +0000 Subject: [PATCH 22/29] update docs --- README.md | 36 +++++++++++++++++++- src/base/.devcontainer/.grant.yaml | 16 +++++++++ src/base/.devcontainer/Dockerfile | 1 + src/base/.devcontainer/Mk/check.mk | 53 +++++++++++++++++++++++++----- 4 files changed, 97 insertions(+), 9 deletions(-) create mode 100644 src/base/.devcontainer/.grant.yaml diff --git a/README.md b/README.md index 1f6183e..ed8ff02 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ EPS DEV CONTAINERS - [Using local or pull request images in Visual Studio Code and GitHub Actions](#using-local-or-pull-request-images-in-visual-studio-code-and-github-actions) - [Common Makefile targets](#common-makefile-targets) - [Defined Targets](#targets) +- [Anchore tools](#anchore-tools-syft-grype-grant) - [Project structure](#project-structure) - [Pull requests and merge to main process](#pull-requests-and-merge-to-main-process) @@ -177,7 +178,18 @@ Check targets (`check.mk`) - `actionlint` - runs actionlint against GitHub Actions - `secret-scan` - runs git-secrets (including scanning history) against the repository - `guard-` - checks if an environment variable is set and errors if it is not -- `zizmor` runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions +- `zizmor` - runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions +- `syft-generate-sbom` - uses syft to generate an sbom in cyclonedx-json format. This *does not* include dev dependencies. Outputs file to .sbom/sbom.cdx.json. +- `syft-generate-sbom-dev-dependencies`- uses syft to generate an sbom in cyclonedx-json format. This *DOES* include dev dependencies. Outputs file to .sbom/sbom.dev.cdx.json. +- `grype-scan` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. +- `grype-scan-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. +- `grype-scan-json` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grype_analysis.json +- `grype-scan-json-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grype_analysis.dev.json +- `grype-scan-local` - Uses grype to scan local folders for vulnerabilities. This is installed as a pre-commit hook in each project. +- `grant-scan` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. +- `grant-scan-dev-dependencies` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. +- `grant-scan-json` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grant_analysis.json +- `grant-scan-json-dev-dependencies` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grant_analysis.dev.json Credentials targets (`credentials.mk`) - `aws-configure` - configures an AWS SSO session @@ -195,6 +207,28 @@ These are all changed to not run anything and will be removed in a future releas - `trivy-scan-java` - `trivy-scan-docker` +# Anchore tools (syft, grype, grant) +We use tools from [anchore](https://oss.anchore.com/docs/projects/) for various analysis. The tools we use are +- syft to generate SBOM +- grype to scan for vulnerabilities +- grant to check for incompatible licenses + +## syft +This is used to generate SBOM (software bill of materials) for dependencies. +There are makefile targets defined that run with most common settings we need. There should be no need to modify any configuration files for use + +# grype +This scans for known vulnerabilities. +There are several makefile targets defined that can be used to run this - either outputting to console, or to a json file. It can also run for just runtime dependencies or include dev dependencies. +You may need to create a `.grype.yaml` with known accepted vulnerabilities in a project while we are waiting for downstream dependencies to update. Details of how to do this are documented at https://oss.anchore.com/docs/guides/vulnerability/filter-results/#ignore-specific-vulnerabilities-or-packages + +# grant +This scans for incompatible licenses in dependencies. +There are several makefile targets defined that can be used to run this - either outputting to console, or to a json file. It can also run for just runtime dependencies or include dev dependencies. +There is a default .grant.yaml file placed in home directories of devcontainers that lists acceptable licenses and known packages where the scanner incorrectly identified a license for a dependency. +If you need to modify this for a specific project, you must copy this to the root folder of the project and then modify it - eg `cp $HOME/.grant.yaml .`. +See https://oss.anchore.com/docs/guides/license/policies/ for details of what to put in the file. + # Project structure We have 5 types of dev container. These are defined under src diff --git a/src/base/.devcontainer/.grant.yaml b/src/base/.devcontainer/.grant.yaml new file mode 100644 index 0000000..a82ba75 --- /dev/null +++ b/src/base/.devcontainer/.grant.yaml @@ -0,0 +1,16 @@ +allow: + - MIT* + - Apache-2.0 + - BSD-2-Clause + - BSD-3-Clause + - ISC + - 0BSD + - Unlicense + - CC0-1.0 + - BlueOak-1.0.0 + - BSD + - MPL-2.0 + - CC-BY-4.0 + - Python-2.0 +ignore-packages: + - "case" diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 801475d..65931f1 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -28,6 +28,7 @@ COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vsco USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions +COPY --chown=vscode:vscode .grant.yaml /home/vscode/.grant.yaml ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.guard/bin:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index f368742..23df227 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -95,22 +95,59 @@ guard-%: zizmor: zizmor --min-severity medium . -generate-sbom: +syft-generate-sbom: syft \ --output cyclonedx-json=.sbom/sbom.cdx.json \ dir:./ -generate-sbom-dev-deps: - SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true syft \ +syft-generate-sbom-dev-dependencies: + SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true \ + syft \ --output cyclonedx-json=.sbom/sbom.dev.cdx.json \ dir:./ -grype-scan: generate-sbom - grype .sbom/sbom.cdx.json \ - --output json=".sbom/grype_analysis.json" - -grant-scan: generate-sbom +grype-scan: syft-generate-sbom + grype \ + --fail-on high \ + .sbom/sbom.cdx.json + +grype-scan-dev-dependencies: syft-generate-sbom-dev-dependencies + grype \ + --fail-on high \ + .sbom/sbom.dev.cdx.json + +grype-scan-json: syft-generate-sbom + grype \ + --fail-on high \ + .sbom/sbom.cdx.json \ + --output json=".sbom/grype_analysis.json" + +grype-scan-json-dev-dependencies: syft-generate-sbom-dev-dependencies + grype \ + --fail-on high \ + .sbom/sbom.dev.cdx.json \ + --output json=".sbom/grype_analysis.dev.json" + +grype-scan-local: + grype \ + --fail-on high \ + . +grant-scan: syft-generate-sbom + grant check \ + .sbom/sbom.cdx.json + +grant-scan-dev-dependencies: syft-generate-sbom-dev-dependencies + grant check \ + .sbom/sbom.dev.cdx.json + +grant-scan-json: syft-generate-sbom grant check .sbom/sbom.cdx.json \ --output json \ --quiet \ --output-file ".sbom/grant_analysis.json" + +grant-scan-json-dev-dependencies: syft-generate-sbom-dev-dependencies + grant check .sbom/sbom.dev.cdx.json \ + --output json \ + --quiet \ + --output-file ".sbom/grant_analysis.dev.json" From cfcb96c970d50fcf4bcb6a520519f62f8be65588 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 16:16:22 +0000 Subject: [PATCH 23/29] more vulns --- .grype.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index c64920c..3d706b7 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -39,3 +39,27 @@ ignore: - vulnerability: GHSA-cx63-2mw6-8hw5 - vulnerability: GHSA-r9hx-vwmv-q579 - vulnerability: GHSA-5rjg-fvgr-3xxf +# eps-storage-terraform vulnerabilities + - vulnerability: CVE-2025-68119 +# eps-data-extract vulnerabilities + - vulnerability: GHSA-6fmv-xxpf-w3cw +# fhir-facade vulnerabilities + - vulnerability: CVE-2022-26485 + - vulnerability: CVE-2022-26486 + - vulnerability: CVE-2022-25235 + - vulnerability: CVE-2022-25236 + - vulnerability: CVE-2024-21147 + - vulnerability: CVE-2025-21587 + - vulnerability: CVE-2025-30749 + - vulnerability: CVE-2024-20952 + - vulnerability: CVE-2024-20918 + - vulnerability: CVE-2025-50106 + - vulnerability: CVE-2025-50059 + - vulnerability: CVE-2025-53066 + - vulnerability: CVE-2026-21945 + - vulnerability: CVE-2026-21932 +# node-24_python_3_14_java_24 vulnerabilities + - vulnerability: GHSA-6fmv-xxpf-w3cw + - vulnerability: CVE-2025-53066 + - vulnerability: CVE-2026-21945 + - vulnerability: CVE-2026-21932 From 1d0ee19c109b9071761d407b78bb5c0de57f5397 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 16:40:55 +0000 Subject: [PATCH 24/29] update readme --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ed8ff02..239fbdc 100644 --- a/README.md +++ b/README.md @@ -186,10 +186,10 @@ Check targets (`check.mk`) - `grype-scan-json` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grype_analysis.json - `grype-scan-json-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grype_analysis.dev.json - `grype-scan-local` - Uses grype to scan local folders for vulnerabilities. This is installed as a pre-commit hook in each project. -- `grant-scan` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. -- `grant-scan-dev-dependencies` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. -- `grant-scan-json` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grant_analysis.json -- `grant-scan-json-dev-dependencies` - Uses scan to check for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grant_analysis.dev.json +- `grant-scan` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. +- `grant-scan-dev-dependencies` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. +- `grant-scan-json` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grant_analysis.json +- `grant-scan-json-dev-dependencies` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grant_analysis.dev.json Credentials targets (`credentials.mk`) - `aws-configure` - configures an AWS SSO session @@ -217,12 +217,12 @@ We use tools from [anchore](https://oss.anchore.com/docs/projects/) for various This is used to generate SBOM (software bill of materials) for dependencies. There are makefile targets defined that run with most common settings we need. There should be no need to modify any configuration files for use -# grype +## grype This scans for known vulnerabilities. There are several makefile targets defined that can be used to run this - either outputting to console, or to a json file. It can also run for just runtime dependencies or include dev dependencies. You may need to create a `.grype.yaml` with known accepted vulnerabilities in a project while we are waiting for downstream dependencies to update. Details of how to do this are documented at https://oss.anchore.com/docs/guides/vulnerability/filter-results/#ignore-specific-vulnerabilities-or-packages -# grant +## grant This scans for incompatible licenses in dependencies. There are several makefile targets defined that can be used to run this - either outputting to console, or to a json file. It can also run for just runtime dependencies or include dev dependencies. There is a default .grant.yaml file placed in home directories of devcontainers that lists acceptable licenses and known packages where the scanner incorrectly identified a license for a dependency. From c5812a49616e54a93dfd14957998871e002b4852 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 31 Mar 2026 16:49:25 +0000 Subject: [PATCH 25/29] add new target to scan docker image --- README.md | 1 + src/base/.devcontainer/Mk/check.mk | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 239fbdc..6aeb74d 100644 --- a/README.md +++ b/README.md @@ -186,6 +186,7 @@ Check targets (`check.mk`) - `grype-scan-json` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grype_analysis.json - `grype-scan-json-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grype_analysis.dev.json - `grype-scan-local` - Uses grype to scan local folders for vulnerabilities. This is installed as a pre-commit hook in each project. +- `grype-scan-docker-image` - Uses grype to scan a docker image for vulnerabilities. This image to scan must be set in the environment variable DOCKER_IMAGE - `grant-scan` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. - `grant-scan-dev-dependencies` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. - `grant-scan-json` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grant_analysis.json diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 23df227..6ac2402 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -132,6 +132,13 @@ grype-scan-local: grype \ --fail-on high \ . + +grype-scan-docker-image: guard-DOCKER_IMAGE + grype "${DOCKER_IMAGE}" \ + --scope all-layers \ + --sort-by severity \ + --fail-on high + grant-scan: syft-generate-sbom grant check \ .sbom/sbom.cdx.json From 084f5e1b92a0772a50cfe252966ae0d4945b7821 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 1 Apr 2026 07:30:38 +0000 Subject: [PATCH 26/29] do not fail on grant error --- src/base/.devcontainer/.grant.yaml | 18 ++++++++++-------- src/base/.devcontainer/Mk/check.mk | 6 ++++++ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/src/base/.devcontainer/.grant.yaml b/src/base/.devcontainer/.grant.yaml index a82ba75..f7c01ca 100644 --- a/src/base/.devcontainer/.grant.yaml +++ b/src/base/.devcontainer/.grant.yaml @@ -1,16 +1,18 @@ allow: - MIT* - - Apache-2.0 - - BSD-2-Clause + - Apache-* + - BSD-*-Clause - BSD-3-Clause - - ISC + - ISC* - 0BSD - Unlicense - - CC0-1.0 - - BlueOak-1.0.0 + - CC0-* + - BlueOak-* - BSD - - MPL-2.0 - - CC-BY-4.0 - - Python-2.0 + - MPL-* + - CC-BY-* + - Python-* + - Artistic-* ignore-packages: - "case" +require-license: false diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 6ac2402..770ac14 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -97,12 +97,14 @@ zizmor: syft-generate-sbom: syft \ + --exclude './.github/**' \ --output cyclonedx-json=.sbom/sbom.cdx.json \ dir:./ syft-generate-sbom-dev-dependencies: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true \ syft \ + --exclude './.github/**' \ --output cyclonedx-json=.sbom/sbom.dev.cdx.json \ dir:./ @@ -141,20 +143,24 @@ grype-scan-docker-image: guard-DOCKER_IMAGE grant-scan: syft-generate-sbom grant check \ + --dry-run \ .sbom/sbom.cdx.json grant-scan-dev-dependencies: syft-generate-sbom-dev-dependencies grant check \ + --dry-run \ .sbom/sbom.dev.cdx.json grant-scan-json: syft-generate-sbom grant check .sbom/sbom.cdx.json \ --output json \ --quiet \ + --dry-run \ --output-file ".sbom/grant_analysis.json" grant-scan-json-dev-dependencies: syft-generate-sbom-dev-dependencies grant check .sbom/sbom.dev.cdx.json \ --output json \ --quiet \ + --dry-run \ --output-file ".sbom/grant_analysis.dev.json" From 69416c4b1433002fa7f94c5dcecf4004bd3e63bf Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 1 Apr 2026 07:58:39 +0000 Subject: [PATCH 27/29] update following comment --- src/base/.devcontainer/Mk/check.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 770ac14..dbfc858 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -96,12 +96,14 @@ zizmor: zizmor --min-severity medium . syft-generate-sbom: + mkdir -p .sbom syft \ --exclude './.github/**' \ --output cyclonedx-json=.sbom/sbom.cdx.json \ dir:./ syft-generate-sbom-dev-dependencies: + mkdir -p .sbom SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true \ syft \ --exclude './.github/**' \ From 70c677e3032953e6060abd516deaca3b1cef6817 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 1 Apr 2026 08:02:23 +0000 Subject: [PATCH 28/29] fix path --- .github/workflows/build_multi_arch_image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 07b0fc9..4786826 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -102,8 +102,8 @@ jobs: - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f name: Upload scan results with: - name: "grype_${{ inputs.container_name }}_${{ matrix.arch }}.json" - path: .grype_out/grype_${{ inputs.container_name }}_${{ matrix.arch }}.json + name: "grype_${{ inputs.container_name }}_${{ inputs.docker_tag }}-${{ matrix.arch }}.json" + path: .grype_out/grype_${{ inputs.container_name }}_${{ inputs.docker_tag }}-${{ matrix.arch }}.json - name: Check docker vulnerabilities - text output run: | make scan-image From b5ec4639b0460df512b2cf39ad48746846c2efee Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 1 Apr 2026 10:09:39 +0000 Subject: [PATCH 29/29] fix formatting --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6aeb74d..8dd2bae 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Check targets (`check.mk`) - `guard-` - checks if an environment variable is set and errors if it is not - `zizmor` - runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions - `syft-generate-sbom` - uses syft to generate an sbom in cyclonedx-json format. This *does not* include dev dependencies. Outputs file to .sbom/sbom.cdx.json. -- `syft-generate-sbom-dev-dependencies`- uses syft to generate an sbom in cyclonedx-json format. This *DOES* include dev dependencies. Outputs file to .sbom/sbom.dev.cdx.json. +- `syft-generate-sbom-dev-dependencies` - uses syft to generate an sbom in cyclonedx-json format. This *DOES* include dev dependencies. Outputs file to .sbom/sbom.dev.cdx.json. - `grype-scan` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. - `grype-scan-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. - `grype-scan-json` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grype_analysis.json