add syft and grype

Author: anthony-nhs

.github/workflows/build_multi_arch_image.yml

@@ -67,7 +67,12 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: '24.14.0'
-  
+      - name: setup syft and grype
+        run: |
+          mkdir -p "$RUNNER_TEMP/bin"
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.syft" src/base/.devcontainer/
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.grype" src/base/.devcontainer/
+          echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
       - name: make install
         run: |
           make install-node
@@ -92,32 +97,28 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
           BASE_FOLDER: "${{ inputs.base_folder }}"
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          EXIT_CODE: 0
-          EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-      #   name: Upload scan results
-      #   with:
-      #     name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
-      #     path: .out/scan_results_docker.json
-      # - name: Check docker vulnerabilities - table output
-      #   run: |
-      #     make scan-image
-      #   env:
-      #     CONTAINER_NAME: '${{ inputs.container_name }}'
-      #     BASE_FOLDER: "${{ inputs.base_folder }}"
-      #     IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-      #     EXIT_CODE: "1"
-      #     EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - name: Show docker vulnerability output
-      #   if: always()
-      #   run: |
-      #     echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
-      #     if [ -f .out/scan_results_docker.txt ]; then
-      #       cat .out/scan_results_docker.txt
-      #     fi
-      #   env:
-      #     ARCHITECTURE: '${{ matrix.arch }}'
-      #     DOCKER_TAG: '${{ inputs.docker_tag }}'
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: Upload scan results
+        with:
+          name: "grype_${{ inputs.container_name }}_${{ matrix.arch }}.json"
+          path: .grype_out/grype_${{ inputs.container_name }}_${{ matrix.arch }}.json
+      - name: Check docker vulnerabilities - text output
+        run: |
+          make scan-image
+        env:
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_FOLDER: "${{ inputs.base_folder }}"
+          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
+      - name: Show docker vulnerability output
+        if: always()
+        run: |
+          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
+          if [ -f .out/scan_results_docker.txt ]; then
+            cat .out/scan_results_docker.txt
+          fi
+        env:
+          ARCHITECTURE: '${{ matrix.arch }}'
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
       - name: Push tagged image and rebuild for github actions
         run: |
           echo "Pushing image..."

Makefile

@@ -64,7 +64,12 @@ build-all: build-base-image build-node-24-image build-node-24-python-3-10-image
 	build-eps-storage-terraform-image build-eps-data-extract-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \
 	build-regression-tests-image
 
-build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
+build-syft:
+	docker build -f src/base/.devcontainer/Dockerfile.syft --tag local_syft src/base/.devcontainer/
+build-grype:
+	docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype src/base/.devcontainer/
+
+build-image: build-syft build-grype guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	npx devcontainer build \
 		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
 		$(NO_CACHE_FLAG) \
@@ -83,11 +88,17 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG
 		-t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \
 		.
 
-scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
-	echo "Not implemented"
+scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
+	grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \
+		--scope all-layers \
+		--sort-by severity 
 
 scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
-	echo "Not implemented"
+	grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \
+		--scope all-layers \
+		--output json \
+		--file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.json" \
+		--sort-by severity 
 
 shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
 	docker run -it \

src/base/.devcontainer/Dockerfile

@@ -1,3 +1,5 @@
+FROM local_syft AS syft-build
+FROM local_grype AS grype-build
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
 ARG SCRIPTS_DIR=/usr/local/share/eps
@@ -16,6 +18,9 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
 RUN ./root_install.sh
 
+COPY --from=syft-build /syft /usr/local/bin/syft
+COPY --from=grype-build /grype /usr/local/bin/grype
+
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
 COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf

src/base/.devcontainer/Dockerfile.grype

@@ -0,0 +1,16 @@
+FROM alpine:3.23.3 AS build
+ARG TARGETARCH
+ARG GRYPE_VERSION="0.110.0"
+ENV GRYPE_VERSION=${GRYPE_VERSION}
+RUN apk add --no-cache cosign bash curl jq
+COPY --chmod=755 scripts/install_anchore_tool.sh /tmp/install_anchore_tool.sh
+RUN case "${TARGETARCH}" in \
+        x86_64|amd64) ANCHORE_ARCH=amd64 ;; \
+        aarch64|arm64) ANCHORE_ARCH=arm64 ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+   && INSTALL_DIR=/tmp/anchore/ TOOL=grype ARCH="${ANCHORE_ARCH}" VERSION="${GRYPE_VERSION}" /tmp/install_anchore_tool.sh
+
+FROM scratch
+COPY --from=build /tmp/anchore/grype /grype
+ENTRYPOINT ["/grype"]

src/base/.devcontainer/Dockerfile.syft

@@ -0,0 +1,16 @@
+FROM alpine:3.23.3 AS build
+ARG TARGETARCH
+ARG SYFT_VERSION="1.42.3"
+ENV SYFT_VERSION=${SYFT_VERSION}
+RUN apk add --no-cache cosign bash curl jq
+COPY --chmod=755 scripts/install_anchore_tool.sh /tmp/install_anchore_tool.sh
+RUN case "${TARGETARCH}" in \
+        x86_64|amd64) ANCHORE_ARCH=amd64 ;; \
+        aarch64|arm64) ANCHORE_ARCH=arm64 ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/anchore/ TOOL=syft ARCH="${ANCHORE_ARCH}" VERSION="${SYFT_VERSION}" /tmp/install_anchore_tool.sh
+
+FROM scratch
+COPY --from=build /tmp/anchore/syft /syft
+ENTRYPOINT ["/syft"]

src/base/.devcontainer/scripts/install_anchore_tool.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DEFAULT_INSTALL_DIR="/usr/local/bin"
+INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
+BASE_URL="https://github.com/anchore/${TOOL}/releases/download/v${VERSION}"
+ARCHIVE="${TOOL}_${VERSION}_linux_${ARCH}.tar.gz"
+CHECKSUMS="${TOOL}_${VERSION}_checksums.txt"
+CHECKSUMS_PEM="${TOOL}_${VERSION}_checksums.txt.pem"
+CHECKSUMS_SIG="${TOOL}_${VERSION}_checksums.txt.sig"
+
+if [ -z "$TOOL" ]
+then
+      echo "\$TOOL is NULL"
+fi
+if [ -z "$ARCH" ]
+then
+      echo "\$ARCH is NULL"
+fi
+if [ -z "$VERSION" ]
+then
+      echo "\$VERSION is NULL"
+fi
+
+usage() {
+  cat <<'EOF'
+Usage: install_anchore_tool.sh
+
+Downloads an Anchore tool (syft or grype) archive and its sigstore bundle to a temporary directory,
+verifies the sigstore bundle following 
+https://oss.anchore.com/docs/installation/verification/,
+and installs the Anchore tool binary into INSTALL_DIR (default: /usr/local/bin).
+
+Environment variables:
+  INSTALL_DIR  Directory to install the Anchore tool binary into (default: /usr/local/bin)
+  VERSION      Anchore tool version tag to install
+  ARCH         Architecture suffix used in the download
+  TOOL         Anchore tool name, either "syft" or "grype"
+EOF
+}
+
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+  usage
+  exit 0
+fi
+
+for cmd in curl cosign; do
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "Error: $cmd is required but not found in PATH" >&2
+    exit 1
+  fi
+done
+
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+download() {
+  local url="${1}" dest="${2}"
+  echo "Downloading ${dest} from ${url} ..."
+  curl -fsSL "${url}" -o "${dest}"
+}
+ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}"
+ALL_CHECKSUMS_PATH="${TMP_DIR}/${CHECKSUMS}"
+CHECKSUM_PATH="${TMP_DIR}/${ARCHIVE}.sha256sum"
+CHECKSUMS_PEM_PATH="${TMP_DIR}/${CHECKSUMS_PEM}"
+CHECKSUMS_SIG_PATH="${TMP_DIR}/${CHECKSUMS_SIG}"
+download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}"
+download "${BASE_URL}/${CHECKSUMS}" "${ALL_CHECKSUMS_PATH}"
+download "${BASE_URL}/${CHECKSUMS_PEM}" "${CHECKSUMS_PEM_PATH}"
+download "${BASE_URL}/${CHECKSUMS_SIG}" "${CHECKSUMS_SIG_PATH}"
+
+cosign verify-blob "${ALL_CHECKSUMS_PATH}" \
+  --certificate "${CHECKSUMS_PEM_PATH}" \
+  --signature "${CHECKSUMS_SIG_PATH}" \
+  --certificate-identity-regexp "https://github\.com/anchore/${TOOL}/\.github/workflows/.+" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+echo "Sigstore verification passed"
+
+grep "${ARCHIVE}" "${ALL_CHECKSUMS_PATH}" > "${CHECKSUM_PATH}"
+
+cd "${TMP_DIR}"
+sha256sum -c "${CHECKSUM_PATH}"
+echo "Checksum verification passed"
+tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}"
+
+mkdir -p "$INSTALL_DIR"
+install -m 0755 "$TMP_DIR/${TOOL}" "${INSTALL_DIR}/${TOOL}"
+
+echo "${TOOL} ${VERSION} installed to ${INSTALL_DIR}"