From f75cfa90f60b9eebcf932f2a0929b19bdb2eeee6 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:33:28 +0000 Subject: [PATCH 1/9] fix sonar issuses --- .github/workflows/docker_image_build.yml | 4 ++-- .github/workflows/docker_image_upload.yml | 19 ++++++++++++------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker_image_build.yml b/.github/workflows/docker_image_build.yml index c4c5791..c6c357a 100644 --- a/.github/workflows/docker_image_build.yml +++ b/.github/workflows/docker_image_build.yml @@ -27,9 +27,9 @@ jobs: id: build-cdk-utils-build-image run: | docker build -t "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" -f docker/Dockerfile --build-arg VERSION=${{ inputs.VERSION_NUMBER }} . - docker save "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" -o cdk-utils-build.img + docker save "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" -o cdk-utils-build.img - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@00943011d9042930efac3dcd3a170e4273319bc8 name: Upload docker images with: name: docker_artifact diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index 7c9a307..ff9f421 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -21,7 +21,7 @@ on: secrets: CDK_PUSH_IMAGE_ROLE: required: true - + jobs: upload_docker_image: runs-on: ubuntu-22.04 @@ -60,23 +60,28 @@ jobs: - name: Retrieve AWS Account ID id: retrieve-account-id run: echo "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_ENV" - + - name: Login to Amazon ECR id: login-ecr run: | aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com - name: Push tagged version cdk-utils-build to Amazon ECR + env: + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} + DOCKER_IMAGE_TAG: ${{ inputs.DOCKER_IMAGE_TAG }} run: | - docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" - docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}" + docker tag "cdk-utils-build:${VERSION_NUMBER}" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${DOCKER_IMAGE_TAG}" + docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${DOCKER_IMAGE_TAG}" - name: Push latest cdk-utils-build to Amazon ECR if: ${{ inputs.TAG_LATEST == true }} + env: + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} run: | - docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest" - docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest" - + docker tag "cdk-utils-build:${VERSION_NUMBER}" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest" + docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest" + - name: Check cdk-utils-build scan results env: REPOSITORY_NAME: cdk-utils-build-repo From 69a66d3afb7aed9279dc98ff42ad9fc577256b1f Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:37:44 +0000 Subject: [PATCH 2/9] fix more issues --- .github/workflows/docker_image_build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker_image_build.yml b/.github/workflows/docker_image_build.yml index c6c357a..7f4876b 100644 --- a/.github/workflows/docker_image_build.yml +++ b/.github/workflows/docker_image_build.yml @@ -25,9 +25,11 @@ jobs: - name: Build cdk-utils-build Docker image id: build-cdk-utils-build-image + env: + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} run: | - docker build -t "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" -f docker/Dockerfile --build-arg VERSION=${{ inputs.VERSION_NUMBER }} . - docker save "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" -o cdk-utils-build.img + docker build -t "cdk-utils-build:${VERSION_NUMBER}" -f docker/Dockerfile --build-arg VERSION="${VERSION_NUMBER}" . + docker save "cdk-utils-build:${VERSION_NUMBER}" -o cdk-utils-build.img - uses: actions/upload-artifact@00943011d9042930efac3dcd3a170e4273319bc8 name: Upload docker images From 43ec059fb9b7909b777eddf04019ea06a07ef872 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:42:30 +0000 Subject: [PATCH 3/9] even more sonar fixes --- .devcontainer/Dockerfile | 1 - docker/Dockerfile | 39 ++++++++++++++++++++++++++------------- docker/entrypoint.sh | 6 +++--- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index e5f17e5..772bc99 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,6 +1,5 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu - ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} diff --git a/docker/Dockerfile b/docker/Dockerfile index 226cfb2..ed8dd55 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,33 +1,46 @@ FROM ubuntu:24.04 +ARG TARGETARCH +ENV TARGETARCH=${TARGETARCH} + +ARG ASDF_VERSION +COPY .tool-versions.asdf /tmp/.tool-versions.asdf + ARG VERSION RUN apt-get update \ && export DEBIAN_FRONTEND=noninteractive \ - && apt-get -y upgrade - -RUN export DEBIAN_FRONTEND=noninteractive \ + && apt-get -y upgrade \ && apt-get -y install --no-install-recommends ca-certificates curl git jq make unzip wget \ && apt-get clean # install aws stuff -ADD https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip /tmp/awscliv2.zip -RUN unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \ +# Download correct AWS CLI for arch +RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \ + wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \ + else \ + wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \ + fi && \ + unzip /tmp/awscliv2.zip -d /tmp/aws-cli && \ /tmp/aws-cli/aws/install && \ - rm tmp/awscliv2.zip && \ - rm -rf /tmp/aws-cli + rm /tmp/awscliv2.zip && rm -rf /tmp/aws-cli + +# Install ASDF +RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \ + if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then \ + wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz; \ + else \ + wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz; \ + fi && \ + tar -xvzf /tmp/asdf.tar.gz && \ + mv asdf /usr/bin RUN useradd -ms /bin/bash cdkuser RUN chown -R cdkuser /home/cdkuser WORKDIR /home/cdkuser USER cdkuser -# Install ASDF -RUN git clone https://github.com/asdf-vm/asdf.git /home/cdkuser/.asdf --branch v0.14.1; \ - echo '. /home/cdkuser/.asdf/asdf.sh' >> ~/.bashrc; \ - echo '. /home/cdkuser/.asdf/completions/asdf.bash' >> ~/.bashrc; \ - echo 'PATH="$PATH:/home/cdkuser/.asdf/bin/"' >> ~/.bashrc; -ENV PATH="$PATH:/home/cdkuser/.asdf/bin/:/home/cdkuser/node_modules/.bin" +ENV PATH="$PATH:/home/cdkuser/.asdf/shims/:/home/cdkuser/node_modules/.bin" # Install ASDF plugins RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index e5a2ca1..0bcc034 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -9,7 +9,7 @@ echo "**************************************" echo echo -if [ -z "${CDK_APP_PATH}" ]; then +if [[ -z "${CDK_APP_PATH}" ]]; then echo "CDK_APP_PATH is unset or set to the empty string" exit 1 fi @@ -23,13 +23,13 @@ cd /home/cdkuser/workspace/ || exit asdf install asdf reshim nodejs -if [ "${SHOW_DIFF}" = "true" ] +if [[ "${SHOW_DIFF}" = "true" ]] then echo "Running diff" npx cdk diff \ --app "npx ts-node --prefer-ts-exts ${CDK_APP_PATH}" fi -if [ "${DEPLOY_CODE}" = "true" ] +if [[ "${DEPLOY_CODE}" = "true" ]] then echo "Running deploy" npx cdk deploy \ From 72dc36edce809f12d10d25de8424c5002c81bcf7 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:48:51 +0000 Subject: [PATCH 4/9] correct sha --- .github/workflows/docker_image_build.yml | 4 ++-- .github/workflows/docker_image_upload.yml | 6 +++--- .github/workflows/pull_request.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker_image_build.yml b/.github/workflows/docker_image_build.yml index 7f4876b..39bda5b 100644 --- a/.github/workflows/docker_image_build.yml +++ b/.github/workflows/docker_image_build.yml @@ -19,7 +19,7 @@ jobs: packages: read steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: ref: ${{ env.BRANCH_NAME }} @@ -31,7 +31,7 @@ jobs: docker build -t "cdk-utils-build:${VERSION_NUMBER}" -f docker/Dockerfile --build-arg VERSION="${VERSION_NUMBER}" . docker save "cdk-utils-build:${VERSION_NUMBER}" -o cdk-utils-build.img - - uses: actions/upload-artifact@00943011d9042930efac3dcd3a170e4273319bc8 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 name: Upload docker images with: name: docker_artifact diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml index ff9f421..0a25dc8 100644 --- a/.github/workflows/docker_image_upload.yml +++ b/.github/workflows/docker_image_upload.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout local github actions - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 @@ -40,14 +40,14 @@ jobs: .github - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 with: aws-region: eu-west-2 role-to-assume: ${{ secrets.CDK_PUSH_IMAGE_ROLE }} role-session-name: upload-cdk-utils-build - name: docker_artifact download - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: docker_artifact path: . diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d7e292f..8742f84 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -41,7 +41,7 @@ jobs: issue_number: ${{steps.get_issue_number.outputs.result}} steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd name: get issue number id: get_issue_number with: From b5a4da90774662f38f9a30a93c35a1b3a0f024ce Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:54:44 +0000 Subject: [PATCH 5/9] fix dockerfile --- docker/Dockerfile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index ed8dd55..8eef59a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -47,11 +47,6 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up RUN asdf install nodejs 20.19.1; \ asdf install nodejs 23.9.0 -# update npm -RUN export ASDF_DIR=/home/cdkuser/.asdf && \ - . /home/cdkuser/.asdf/asdf.sh && \ - asdf shell nodejs 20.19.1 && \ - cd ~/.asdf/installs/nodejs/20.19.1/lib && npm update npm # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From 5393342a81d012385cbac78310330b473c06874a Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:58:30 +0000 Subject: [PATCH 6/9] install common node versions --- docker/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 8eef59a..8aaf62a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -45,8 +45,9 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/shims/:/home/cdkuser/node_modules/.bin" # Install ASDF plugins RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up -RUN asdf install nodejs 20.19.1; \ - asdf install nodejs 23.9.0 +RUN asdf install nodejs 22.20.0; \ + asdf install nodejs 22.12.0;\ + asdf install nodejs 20.19.0; # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From 1a0ea9f1940bf35019ee0efb8404c9cabfdf67d8 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 17:01:42 +0000 Subject: [PATCH 7/9] update scan script --- .../scripts/check_ecr_image_scan_results.sh | 183 ++++++++++++------ 1 file changed, 123 insertions(+), 60 deletions(-) diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh index ecb900a..4a5222e 100755 --- a/.github/scripts/check_ecr_image_scan_results.sh +++ b/.github/scripts/check_ecr_image_scan_results.sh @@ -1,6 +1,9 @@ #!/usr/bin/env bash set -e +AWS_MAX_ATTEMPTS=20 +export AWS_MAX_ATTEMPTS + if [ -z "${REPOSITORY_NAME}" ]; then echo "REPOSITORY_NAME not set" exit 1 @@ -11,65 +14,125 @@ if [ -z "${IMAGE_TAG}" ]; then exit 1 fi -function wait_for_scan() { - echo "Giving some time for scan to begin..." - sleep 3 - while [[ $(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}" | jq -r .imageScanStatus.status) != "COMPLETE" ]];do - echo "SCAN IS NOT YET COMPLETE..." - sleep 3 - done - echo "Final sleep to ensure findings are shown correctly" - sleep 60 -} - -function check_for_high_critical_vuln() { - scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}") - high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")') - critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")') -} - -function return_scan_results() { - echo "=== BEGIN IMAGE SCAN RESULTS ===" - echo "$scan_results" - echo "=== END IMAGE SCAN RESULTS ===" -} - -function return_error() { - echo -e "\n**********************************************************" - echo "**********************************************************" - echo "**********************************************************" - echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build." - echo "**********************************************************" - echo "**********************************************************" - echo "**********************************************************" - exit 2 -} - -function analyze_scan_results() { - if [[ -n "$critical" ]]; then - echo "ERROR: There are CRITICAL vulnerabilities. Stopping build." - - echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ===" - echo "$critical" - echo "=== END CRITICAL IMAGE SCAN RESULTS ===" - - return_scan_results - - return_error - elif [[ -n "$high" ]]; then - echo "ERROR: There are HIGH vulnerabilities. Stopping build." - - echo "=== BEGIN HIGH IMAGE SCAN RESULTS ===" - echo "$high" - echo "=== END HIGH IMAGE SCAN RESULTS ===" - - return_scan_results - return_error - else - return_scan_results +if [ -z "${AWS_REGION}" ]; then + echo "AWS_REGION not set" + exit 1 +fi + +if [ -z "${ACCOUNT_ID}" ]; then + echo "AWS_REGION not set" + exit 1 +fi + +IMAGE_DIGEST=$(aws ecr describe-images \ + --repository-name "$REPOSITORY_NAME" \ + --image-ids imageTag="$IMAGE_TAG" \ + --query 'imageDetails[0].imageDigest' \ + --output text) + +RESOURCE_ARN="arn:aws:ecr:${AWS_REGION}:${ACCOUNT_ID}:repository/${REPOSITORY_NAME}/${IMAGE_DIGEST}" + +echo "Monitoring scan for ${REPOSITORY_NAME}:${IMAGE_TAG}" +echo "Resource ARN: ${RESOURCE_ARN}" +echo + +# Wait for ECR scan to reach COMPLETE +STATUS="" +echo "Waiting for ECR scan to complete..." +for i in {1..30}; do + echo "Checking scan status. Attempt ${i}" + STATUS=$(aws ecr describe-image-scan-findings \ + --repository-name "$REPOSITORY_NAME" \ + --image-id imageDigest="$IMAGE_DIGEST" \ + --query 'imageScanStatus.status' \ + --output text 2>/dev/null || echo "NONE") + + if [[ "$STATUS" == "COMPLETE" ]]; then + echo "ECR scan completed." + break + fi + + if [[ "$STATUS" == "FAILED" ]]; then + echo "Scan failed." + exit 1 + fi + + echo "SCAN IS NOT YET COMPLETE. Waiting 10 seconds before checking again..." + sleep 10 +done + +if [[ "$STATUS" != "COMPLETE" ]]; then + echo "Timeout waiting for ECR scan to complete." + exit 1 +fi + +# Wait for Inspector2 findings to appear & stabilize +# this is in place as scan may show as complete but findings have not yet stabilize +echo +echo "Waiting for Inspector2 findings to stabilize..." + +PREV_HASH="" +for i in {1..12}; do # ~2 minutes max + FINDINGS=$(aws inspector2 list-findings \ + --filter-criteria "{ + \"resourceId\": [{\"comparison\": \"EQUALS\", \"value\": \"${RESOURCE_ARN}\"}], + \"findingStatus\": [{\"comparison\": \"EQUALS\", \"value\": \"ACTIVE\"}] + }" \ + --output json 2>/dev/null || echo "{}") + + CURR_HASH=$(echo "$FINDINGS" | sha256sum) + COUNT=$(echo "$FINDINGS" | jq '.findings | length') + + if [[ "$COUNT" -gt 0 && "$CURR_HASH" == "$PREV_HASH" ]]; then + echo "Findings stabilized ($COUNT findings)." + break fi -} -wait_for_scan -check_for_high_critical_vuln -analyze_scan_results + PREV_HASH="$CURR_HASH" + echo "Attempt: ${i}. Still waiting... (${COUNT} findings so far)" + sleep 10 +done + +# Extract counts and display findings +echo +echo "Final Inspector2 findings with suppressions removed:" +echo + +echo "$FINDINGS" | jq '{ + findings: [ + .findings[]? | { + severity: .severity, + title: .title, + package: .packageVulnerabilityDetails.vulnerablePackages[0].name, + sourceUrl: .packageVulnerabilityDetails.sourceUrl, + recommendation: (.remediation.recommendation.text // "N/A") + } + ] +}' + +echo + +# Check for critical/high severity +CRITICAL_COUNT=$(echo "$FINDINGS" | jq '[.findings[]? | select(.severity=="CRITICAL")] | length') +HIGH_COUNT=$(echo "$FINDINGS" | jq '[.findings[]? | select(.severity=="HIGH")] | length') + +if (( CRITICAL_COUNT > 0 || HIGH_COUNT > 0 )); then + echo "${CRITICAL_COUNT} CRITICAL and ${HIGH_COUNT} HIGH vulnerabilities detected!" + echo + echo "Critical/High vulnerabilities:" + echo "$FINDINGS" | jq -r ' + .findings[]? | + select(.severity=="CRITICAL" or .severity=="HIGH") |{ + severity: .severity, + title: .title, + package: .packageVulnerabilityDetails.vulnerablePackages[0].name, + sourceUrl: .packageVulnerabilityDetails.sourceUrl, + recommendation: (.remediation.recommendation.text // "N/A") + }' + echo + echo "Failing pipeline due to Critical/High vulnerabilities." + exit 2 +else + echo "No Critical or High vulnerabilities found." + exit 0 +fi From 4aacc83826ee15032dfb90b845703a6c47851f25 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 17:04:51 +0000 Subject: [PATCH 8/9] remove vulnerable versions --- docker/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 8aaf62a..e8e2394 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -45,9 +45,7 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/shims/:/home/cdkuser/node_modules/.bin" # Install ASDF plugins RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git # install some common node versions that are used in builds to speed things up -RUN asdf install nodejs 22.20.0; \ - asdf install nodejs 22.12.0;\ - asdf install nodejs 20.19.0; +RUN asdf install nodejs 22.20.0; # copy files needed for deployment COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/ From 6ef89bac251d0f3c1c6a6f747646a80fe849968f Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Fri, 24 Oct 2025 17:18:41 +0000 Subject: [PATCH 9/9] fix dockerfile --- docker/entrypoint.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 0bcc034..c2bfe46 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -14,9 +14,6 @@ if [[ -z "${CDK_APP_PATH}" ]]; then exit 1 fi -# shellcheck source=/dev/null -source /home/cdkuser/.asdf/asdf.sh - sed -i -n '/nodejs/p' /home/cdkuser/workspace/.tool-versions cd /home/cdkuser/workspace/ || exit