add makefiles

Author: anthony-nhs

README.md

@@ -154,7 +154,7 @@ CONTAINER_NAME=base \
 ``` 
 Language images
 ```
-CONTAINER_NAME=node_24_python_3_13 \
+CONTAINER_NAME=node_24_python_3_14 \
   BASE_VERSION_TAG=local-build \
   BASE_FOLDER=languages \
   IMAGE_TAG=local-build \

src/base/.devcontainer/Dockerfile

@@ -2,39 +2,37 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
 ARG SCRIPTS_DIR=/usr/local/share/eps
 ARG CONTAINER_NAME
-ARG MULTI_ARCH_TAG
-ARG BASE_VERSION_TAG
 ARG IMAGE_TAG
 ARG TARGETARCH
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
-ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
-ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
-ENV IMAGE_TAG=${IMAGE_TAG}
 ENV TARGETARCH=${TARGETARCH}
 
-LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers
-LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
-LABEL org.opencontainers.image.licenses=MIT
-LABEL org.opencontainers.image.version=${IMAGE_TAG}
-LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
-LABEL org.opencontainers.image.authors="NHS England EPS Team"
-LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04"
-
 COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
-COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
+COPY --chmod=755 makefiles ${SCRIPTS_DIR}/makefiles
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
+COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
 COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf
 COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions
 
-ENV PATH="/home/vscode/.asdf/shims/:$PATH"
+ENV PATH="/home/vscode/.asdf/shims/:/home/vscode/.guard/bin/:$PATH"
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./vscode_install.sh
 
 # Switch back to root to install the devcontainer CLI globally
 USER root
+
+ENV IMAGE_TAG=${IMAGE_TAG}
+
+LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers
+LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
+LABEL org.opencontainers.image.licenses=MIT
+LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
+LABEL org.opencontainers.image.authors="NHS England EPS Team"
+LABEL org.opencontainers.image.base.image="mcr.microsoft.com/devcontainers/base:ubuntu-22.04"

src/base/.devcontainer/makefiles/build.mk

@@ -0,0 +1,16 @@
+.PHONY: install install-node docker-build compile
+install:
+	echo "Not implemented"
+	exit 1
+
+install-node:
+	echo "Not implemented"
+	exit 1
+
+docker-build:
+	echo "Not implemented"
+	exit 1
+
+compile:
+	echo "Not implemented"
+	exit 1

src/base/.devcontainer/makefiles/check.mk

@@ -0,0 +1,77 @@
+.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform
+lint:
+	echo "Not implemented"
+	exit 1
+
+test:
+	echo "Not implemented"
+	exit 1
+
+shellcheck:
+	@if find .github/scripts -maxdepth 1 -type f -name "*.sh" | grep -q .; then \
+		shellcheck .github/scripts/*.sh; \
+	fi
+	@if find scripts -maxdepth 1 -type f -name "*.sh" | grep -q .; then \
+		shellcheck scripts/*.sh; \
+	fi
+
+cfn-lint:
+	cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
+	cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
+
+cdk-synth:
+	echo "Not implemented"
+	exit 1
+
+cfn-guard-sam-templates:
+	@bash -eu -o pipefail -c '\
+		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
+		mkdir -p .cfn_guard_out; \
+		for ruleset in "$${rulesets[@]}"; do \
+			while IFS= read -r -d "" file; do \
+				SAM_OUTPUT=$$(sam validate -t "$$file" --region eu-west-2 --debug 2>&1 | grep -Pazo "(?s)AWSTemplateFormatVersion.*\\n/" | tr -d "\\0"); \
+				output_file=".cfn_guard_out/$${file}_$${ruleset}.txt"; \
+				mkdir -p "$$(dirname "$$output_file")"; \
+				echo "$${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \
+			done < <(find ./SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) -print0); \
+		done\
+	'
+
+cfn-guard-cloudformation:
+	@bash -eu -o pipefail -c '\
+		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
+		mkdir -p .cfn_guard_out; \
+		for ruleset in "$${rulesets[@]}"; do \
+			~/.guard/bin/cfn-guard validate \
+				--data cloudformation \
+				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--show-summary fail \
+				> ".cfn_guard_out/cloudformation_$$ruleset.txt"; \
+		done\
+	'
+
+cfn-guard-cdk:
+	@bash -eu -o pipefail -c '\
+		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
+		mkdir -p .cfn_guard_out; \
+		for ruleset in "$${rulesets[@]}"; do \
+			~/.guard/bin/cfn-guard validate \
+				--data cdk.out \
+				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--show-summary fail \
+				> ".cfn_guard_out/cdk_$$ruleset.txt"; \
+		done\
+	'
+
+cfn-guard-terraform:
+	@bash -eu -o pipefail -c '\
+		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
+		mkdir -p .cfn_guard_out; \
+		for ruleset in "$${rulesets[@]}"; do \
+			~/.guard/bin/cfn-guard validate \
+				--data terraform_plans \
+				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--show-summary fail \
+				> ".cfn_guard_out/terraform_$$ruleset.txt"; \
+		done\
+	'

src/base/.devcontainer/makefiles/common.mk

@@ -0,0 +1,3 @@
+include build.mk
+include check.mk
+include trivy.mk

src/base/.devcontainer/makefiles/trivy.mk

@@ -0,0 +1,92 @@
+.PHONY: trivy-license-check trivy-generate-sbom trivy-scan-python trivy-scan-node trivy-scan-go trivy-scan-java
+
+trivy-license-check:
+	mkdir -p .trivy_out/
+	@if [ -f poetry.lock ]; then \
+		poetry self add poetry-plugin-export; \
+		poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \
+	fi
+	@if [ -f src/go.sum ]; then \
+		cd src && go mod vendor; \
+	fi
+	VIRTUAL_ENV=./.venv/ trivy fs . \
+		--scanners license \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--pkg-types library \
+		--exit-code 1 \
+		--output .trivy_out/license_scan.txt \
+		--format table
+	@if [ -f poetry.lock ]; then rm -f requirements.txt; fi
+	@if [ -f src/go.sum ]; then rm -rf src/vendor; fi
+
+trivy-generate-sbom:
+	mkdir -p .trivy_out/
+	trivy fs . \
+		--scanners vuln \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 0 \
+		--output .trivy_out/sbom.cdx.json \
+		--format cyclonedx
+
+trivy-scan-python:
+	mkdir -p .trivy_out/
+	trivy fs . \
+		--scanners vuln \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 1 \
+		--skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \
+		--output .trivy_out/dependency_results_python.txt \
+		--format table
+
+trivy-scan-node:
+	mkdir -p .trivy_out/
+	trivy fs . \
+		--scanners vuln \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 1 \
+		--skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \
+		--output .trivy_out/dependency_results_node.txt \
+		--format table
+
+trivy-scan-go:
+	mkdir -p .trivy_out/
+	trivy fs . \
+		--scanners vuln \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 1 \
+		--skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \
+		--output .trivy_out/dependency_results_go.txt \
+		--format table
+
+trivy-scan-java:
+	mkdir -p .trivy_out/
+	trivy fs . \
+		--scanners vuln \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 1 \
+		--skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \
+		--output .trivy_out/dependency_results_java.txt \
+		--format table
+
+trivy-scan-docker:
+	mkdir -p .trivy_out/
+	trivy image $${DOCKER_IMAGE} \
+		--scanners vuln \
+		--severity HIGH,CRITICAL \
+		--config trivy.yaml \
+		--include-dev-deps \
+		--exit-code 1 \
+		--pkg-types os,library \
+		--output .trivy_out/dependency_results_docker.txt \
+		--format table

src/base/.devcontainer/scripts/root_install.sh

@@ -67,6 +67,11 @@ mkdir -p /usr/share/secrets-scanner
 chmod 755 /usr/share/secrets-scanner
 curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
 
+# get cfn-guard ruleset
+wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1
+mkdir -p "${SCRIPTS_DIR}/cfnguard_rulesets"
+unzip /tmp/ruleset.zip -d "${SCRIPTS_DIR}/cfnguard_rulesets" >/dev/null 2>&1
+
 # fix user and group ids for vscode user to be 1001 so it can be used by github actions
 requested_uid=1001
 requested_gid=1001

src/base/.devcontainer/scripts/vscode_install.sh

@@ -21,6 +21,9 @@ asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git
 asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
 asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
 
+# install cfn-guard
+$ curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+
 # install base asdf versions of common tools
 cd /home/vscode
 asdf install

src/common/Dockerfile

@@ -12,24 +12,15 @@ ARG BASE_VERSION_TAG
 ARG IMAGE_TAG
 ARG TARGETARCH
 
-ENV BASE_IMAGE=${BASE_IMAGE}
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
-ENV CONTAINER_NAME=${CONTAINER_NAME}
-ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
-ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
-ENV IMAGE_TAG=${IMAGE_TAG}
 ENV TARGETARCH=${TARGETARCH}
 
-LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
-LABEL org.opencontainers.image.version=${IMAGE_TAG}
-LABEL org.opencontainers.image.base.name=${BASE_IMAGE}
-LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
-
 USER root
-COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
+COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
@@ -40,3 +31,14 @@ RUN ./vscode_install.sh
 
 # Switch back to root to install the devcontainer CLI globally
 USER root
+
+ENV CONTAINER_NAME=${CONTAINER_NAME}
+ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
+ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
+ENV IMAGE_TAG=${IMAGE_TAG}
+ENV BASE_IMAGE=${BASE_IMAGE}
+
+LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
+LABEL org.opencontainers.image.version=${IMAGE_TAG}
+LABEL org.opencontainers.image.base.name=${BASE_IMAGE}
+LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}

src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh

@@ -7,3 +7,6 @@ asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
 
 asdf install python
 asdf install
+
+# install cfn-lint
+pip install --user cfn-lint