eps-devcontainers/Makefile at 0aba7f95e3c48625d4d7653c2e7705e9eb764899 · NHSDigital/eps-devcontainers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/

ifneq ($(strip $(PLATFORM)),)
PLATFORM_FLAG=--platform $(PLATFORM)
endif

ifeq ($(strip $(NO_CACHE)),true)
NO_CACHE_FLAG=--no-cache
endif

guard-%:
	@ if [ "${${*}}" = "" ]; then \
		echo "Environment variable $* not set"; \
		exit 1; \
	fi

install: install-python install-node install-hooks

install-python:
	poetry install

install-node:
	npm install

install-hooks: install-python
	poetry run pre-commit install --install-hooks --overwrite

build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
	npx devcontainer build \
		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
		$(NO_CACHE_FLAG) \
		--push false \
		--cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \
		--image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
	common="src/common/.trivyignore.yaml"; \
	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
	echo "vulnerabilities:" > "$$combined"; \
	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
	trivy image \
		--severity HIGH,CRITICAL \
		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
		--scanners vuln \
		--exit-code 1 \
		--format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
	common="src/common/.trivyignore.yaml"; \
	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
	echo "vulnerabilities:" > "$$combined"; \
	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
	mkdir -p .out
	trivy image \
		--severity HIGH,CRITICAL \
		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
		--scanners vuln \
		--exit-code 1 \
		--format json \
		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
	docker run -it \
	"${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"  \
	bash

lint: lint-githubactions

test:
	echo "Not implemented"

lint-githubactions:
	actionlint

github-login:
	gh auth login --scopes read:packages

lint-githubaction-scripts:
	shellcheck .github/scripts/*.sh