From 8d9980a7d1e89806909b7d429abd173d13e639a2 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 15:23:43 +0000 Subject: [PATCH 01/11] check scan result properly --- .../scripts/check_ecr_image_scan_results.sh | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh index 1b13306..1a65671 100755 --- a/.github/scripts/check_ecr_image_scan_results.sh +++ b/.github/scripts/check_ecr_image_scan_results.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/env bash +set -e if [ -z "${REPOSITORY_NAME}" ]; then echo "REPOSITORY_NAME not set" @@ -17,12 +18,14 @@ function wait_for_scan() { echo "SCAN IS NOT YET COMPLETE..." sleep 3 done + echo "Final sleep to ensure suppressions are applied correctly" + sleep 5 } function check_for_high_critical_vuln() { scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}") - high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH) - critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL) + high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")') + critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")') } function return_scan_results() { @@ -35,7 +38,7 @@ function return_error() { echo -e "\n**********************************************************" echo "**********************************************************" echo "**********************************************************" - echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build." + echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build." echo "**********************************************************" echo "**********************************************************" echo "**********************************************************" @@ -43,12 +46,23 @@ function return_error() { } function analyze_scan_results() { - if [[ $critical -gt 0 ]]; then - echo "ERROR: There are CRITICAL vulnerabilties. Stopping build." + if [[ -n "$critical" ]]; then + echo "ERROR: There are CRITICAL vulnerabilities. Stopping build." + + echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ===" + echo "$critical" + echo "=== END CRITICAL IMAGE SCAN RESULTS ===" + return_scan_results + return_error - elif [[ $high -gt 0 ]]; then - echo "ERROR: There are HIGH vulnerabilties. Stopping build." + elif [[ -n "$high" ]]; then + echo "ERROR: There are HIGH vulnerabilities. Stopping build." + + echo "=== BEGIN HIGH IMAGE SCAN RESULTS ===" + echo "$high" + echo "=== END HIGH IMAGE SCAN RESULTS ===" + return_scan_results return_error else From aa911b2723ff4fbde0f32bd35b90b3c5304c1c28 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 15:34:23 +0000 Subject: [PATCH 02/11] remove vulnerable node --- docker/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 18318da..af2a9fb 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -34,7 +34,6 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up RUN asdf install nodejs 20.19.1 RUN asdf install nodejs 23.9.0 -RUN asdf install nodejs 20.17.0 RUN asdf install nodejs 20.19.0 RUN asdf install nodejs 22.12.0 From 9a0a428cb65815eaddb71a3f642fc40028361a33 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 15:44:31 +0000 Subject: [PATCH 03/11] trigger build From ce1be2481a5f2e1b17bc442317970197d6c0672c Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:02:51 +0000 Subject: [PATCH 04/11] use sha in image tage --- .github/workflows/ci.yml | 5 +++++ .github/workflows/docker_image_upload.yml | 3 +++ .github/workflows/pull_request.yml | 3 +++ 3 files changed, 11 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 20b80bf..3ce7bdc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -136,6 +136,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }} @@ -153,6 +154,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }} @@ -170,6 +172,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }} @@ -187,6 +190,7 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.INT_CDK_PUSH_IMAGE_ROLE }} @@ -204,5 +208,6 @@ jobs: VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: true + DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.PROD_CDK_PUSH_IMAGE_ROLE }} diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index 1b97fb3..3a5ef05 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -15,6 +15,9 @@ on: TAG_LATEST: required: true type: boolean + DOCKER_IMAGE_TAG: + required: true + type: string secrets: CDK_PUSH_IMAGE_ROLE: required: true diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 611ceae..bd64e98 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -46,11 +46,13 @@ jobs: runs-on: ubuntu-22.04 outputs: commit_id: ${{ steps.commit_id.outputs.commit_id }} + sha_short: ${{ steps.commit_id.outputs.sha_short }} steps: - name: Get Commit ID id: commit_id run: | echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" package_code: needs: [get_issue_number, quality_checks, get_commit_id] @@ -67,5 +69,6 @@ jobs: VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }} COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} TAG_LATEST: false + DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }} secrets: CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }} From 3972f6070f1fc8e4a948995594a51c80660ece13 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:09:28 +0000 Subject: [PATCH 05/11] tag the image correctly --- .github/workflows/docker_image_upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index 3a5ef05..c5db165 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -68,8 +68,8 @@ jobs: - name: Push tagged version cdk-utils-build to Amazon ECR run: | - docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}" - docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}" + docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" + docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" - name: Push latest cdk-utils-build to Amazon ECR if: ${{ inputs.TAG_LATEST == true }} From 9c92813aa56b867e88fe959f8eed1726f54087bf Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:18:51 +0000 Subject: [PATCH 06/11] really fix it --- .github/workflows/docker_image_upload.yml | 2 +- .github/workflows/pull_request.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index c5db165..40d687b 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -80,7 +80,7 @@ jobs: - name: Check cdk-utils-build scan results env: REPOSITORY_NAME: cdk-utils-build-repo - IMAGE_TAG: ${{ inputs.VERSION_NUMBER }} + IMAGE_TAG: ${{ inputs.DOCKER_IMAGE_TAG }} working-directory: .github/scripts run: | ./check_ecr_image_scan_results.sh diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index bd64e98..93097c4 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -48,6 +48,11 @@ jobs: commit_id: ${{ steps.commit_id.outputs.commit_id }} sha_short: ${{ steps.commit_id.outputs.sha_short }} steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + - name: Get Commit ID id: commit_id run: | From b55f5943b9c14870a0bd0a9e72092dcbbea03933 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:25:15 +0000 Subject: [PATCH 07/11] fix install --- .pre-commit-config.yaml | 2 +- pyproject.toml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 704efcd..0588836 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,4 +42,4 @@ repos: pass_filenames: false fail_fast: true -default_stages: [commit] +default_stages: [pre-commit] diff --git a/pyproject.toml b/pyproject.toml index 5e97d99..a847a18 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,6 +11,7 @@ authors = [ ] readme = "README.md" repository = "https://github.com/NHSDigital/eps-cdk-util" +package-mode = false [tool.poetry.dependencies] python = "^3.12" @@ -23,4 +24,4 @@ pip-licenses = "^5.0.0" [build-system] requires = ["poetry>=1.8"] -build-backend = "poetry.masonry.api" \ No newline at end of file +build-backend = "poetry.masonry.api" From f36d1571c9b7a1c17a422149aced20fdec4fd599 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:26:08 +0000 Subject: [PATCH 08/11] remove vulnerable node --- docker/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index af2a9fb..63f4307 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -35,7 +35,6 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git RUN asdf install nodejs 20.19.1 RUN asdf install nodejs 23.9.0 RUN asdf install nodejs 20.19.0 -RUN asdf install nodejs 22.12.0 # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From 9b321ba70ba79c7496b2c392f63b2af6020c3e13 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:26:58 +0000 Subject: [PATCH 09/11] remove vulnerable node --- docker/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 63f4307..08f8ce4 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -34,7 +34,6 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up RUN asdf install nodejs 20.19.1 RUN asdf install nodejs 23.9.0 -RUN asdf install nodejs 20.19.0 # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From fe1a276ad320ac2410dab83d0bcd20d1c240d64c Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 16:51:03 +0000 Subject: [PATCH 10/11] wait a bit longer --- .github/scripts/check_ecr_image_scan_results.sh | 4 ++-- docker/Dockerfile | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh index 1a65671..ecb900a 100755 --- a/.github/scripts/check_ecr_image_scan_results.sh +++ b/.github/scripts/check_ecr_image_scan_results.sh @@ -18,8 +18,8 @@ function wait_for_scan() { echo "SCAN IS NOT YET COMPLETE..." sleep 3 done - echo "Final sleep to ensure suppressions are applied correctly" - sleep 5 + echo "Final sleep to ensure findings are shown correctly" + sleep 60 } function check_for_high_critical_vuln() { diff --git a/docker/Dockerfile b/docker/Dockerfile index 08f8ce4..06ba731 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -32,8 +32,9 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/bin/:/home/cdkuser/node_modules/.bin" # Install ASDF plugins RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up -RUN asdf install nodejs 20.19.1 -RUN asdf install nodejs 23.9.0 +RUN asdf install nodejs 20.19.1; \ + asdf install nodejs 23.9.0; \ + cd ~/.asdf/installs/nodejs/20.19.1/lib && npm update npm # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From d1d53d715e4d0f7c832edeeaf45af18bc51927c3 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Mon, 28 Apr 2025 17:14:14 +0000 Subject: [PATCH 11/11] fix dockerfile --- docker/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 06ba731..226cfb2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -33,7 +33,11 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/bin/:/home/cdkuser/node_modules/.bin" RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up RUN asdf install nodejs 20.19.1; \ - asdf install nodejs 23.9.0; \ + asdf install nodejs 23.9.0 +# update npm +RUN export ASDF_DIR=/home/cdkuser/.asdf && \ + . /home/cdkuser/.asdf/asdf.sh && \ + asdf shell nodejs 20.19.1 && \ cd ~/.asdf/installs/nodejs/20.19.1/lib && npm update npm # copy files needed for deployment