diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh index 1b13306..ecb900a 100755 --- a/.github/scripts/check_ecr_image_scan_results.sh +++ b/.github/scripts/check_ecr_image_scan_results.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/env bash +set -e if [ -z "${REPOSITORY_NAME}" ]; then echo "REPOSITORY_NAME not set" @@ -17,12 +18,14 @@ function wait_for_scan() { echo "SCAN IS NOT YET COMPLETE..." sleep 3 done + echo "Final sleep to ensure findings are shown correctly" + sleep 60 } function check_for_high_critical_vuln() { scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}") - high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH) - critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL) + high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")') + critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")') } function return_scan_results() { @@ -35,7 +38,7 @@ function return_error() { echo -e "\n**********************************************************" echo "**********************************************************" echo "**********************************************************" - echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build." + echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build." echo "**********************************************************" echo "**********************************************************" echo "**********************************************************" @@ -43,12 +46,23 @@ function return_error() { } function analyze_scan_results() { - if [[ $critical -gt 0 ]]; then - echo "ERROR: There are CRITICAL vulnerabilties. Stopping build." + if [[ -n "$critical" ]]; then + echo "ERROR: There are CRITICAL vulnerabilities. Stopping build." + + echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ===" + echo "$critical" + echo "=== END CRITICAL IMAGE SCAN RESULTS ===" + return_scan_results + return_error - elif [[ $high -gt 0 ]]; then - echo "ERROR: There are HIGH vulnerabilties. Stopping build." + elif [[ -n "$high" ]]; then + echo "ERROR: There are HIGH vulnerabilities. Stopping build." + + echo "=== BEGIN HIGH IMAGE SCAN RESULTS ===" + echo "$high" + echo "=== END HIGH IMAGE SCAN RESULTS ===" + return_scan_results return_error else diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 20b80bf..3ce7bdc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -136,6 +136,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }} @@ -153,6 +154,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }} @@ -170,6 +172,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }} @@ -187,6 +190,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.INT_CDK_PUSH_IMAGE_ROLE }} @@ -204,5 +208,6 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.PROD_CDK_PUSH_IMAGE_ROLE }} diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index 1b97fb3..40d687b 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -15,6 +15,9 @@ on: TAG_LATEST: required: true type: boolean + DOCKER_IMAGE_TAG: + required: true + type: string secrets: CDK_PUSH_IMAGE_ROLE: required: true @@ -65,8 +68,8 @@ jobs: - name: Push tagged version cdk-utils-build to Amazon ECR run: | - docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}" - docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}" + docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" + docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" - name: Push latest cdk-utils-build to Amazon ECR if: ${{ inputs.TAG_LATEST == true }} @@ -77,7 +80,7 @@ jobs: - name: Check cdk-utils-build scan results env: REPOSITORY_NAME: cdk-utils-build-repo - IMAGE_TAG: ${{ inputs.VERSION_NUMBER }} + IMAGE_TAG: ${{ inputs.DOCKER_IMAGE_TAG }} working-directory: .github/scripts run: | ./check_ecr_image_scan_results.sh diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 611ceae..93097c4 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -46,11 +46,18 @@ jobs: runs-on: ubuntu-22.04 outputs: commit_id: ${{ steps.commit_id.outputs.commit_id }} + sha_short: ${{ steps.commit_id.outputs.sha_short }} steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + - name: Get Commit ID id: commit_id run: | echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" package_code: needs: [get_issue_number, quality_checks, get_commit_id] @@ -67,5 +74,6 @@ jobs: VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: false + DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 704efcd..0588836 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,4 +42,4 @@ repos: pass_filenames: false fail_fast: true -default_stages: [commit] +default_stages: [pre-commit] diff --git a/docker/Dockerfile b/docker/Dockerfile index 18318da..226cfb2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -32,11 +32,13 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/bin/:/home/cdkuser/node_modules/.bin" # Install ASDF plugins RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up -RUN asdf install nodejs 20.19.1 -RUN asdf install nodejs 23.9.0 -RUN asdf install nodejs 20.17.0 -RUN asdf install nodejs 20.19.0 -RUN asdf install nodejs 22.12.0 +RUN asdf install nodejs 20.19.1; \ + asdf install nodejs 23.9.0 +# update npm +RUN export ASDF_DIR=/home/cdkuser/.asdf && \ + . /home/cdkuser/.asdf/asdf.sh && \ + asdf shell nodejs 20.19.1 && \ + cd ~/.asdf/installs/nodejs/20.19.1/lib && npm update npm # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ diff --git a/pyproject.toml b/pyproject.toml index 5e97d99..a847a18 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,6 +11,7 @@ authors = [ ] readme = "README.md" repository = "https://github.com/NHSDigital/eps-cdk-util" +package-mode = false [tool.poetry.dependencies] python = "^3.12" @@ -23,4 +24,4 @@ pip-licenses = "^5.0.0" [build-system] requires = ["poetry>=1.8"] -build-backend = "poetry.masonry.api" \ No newline at end of file +build-backend = "poetry.masonry.api"