build common node

Author: anthony-nhs

.github/workflows/build_all_images.yml

@@ -17,17 +17,22 @@ jobs:
   discover_folders:
     runs-on: ubuntu-latest
     outputs:
+      base_node_folders: ${{ steps.find-folders.outputs.base_node }}
       language_folders: ${{ steps.find-folders.outputs.languages }}
       project_folders: ${{ steps.find-folders.outputs.projects }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - id: find-folders
         run: |
+          base_node_folders=$(find src/base_node -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
           language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
           project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
-          echo "languages=$language_folders" >> "$GITHUB_OUTPUT"
-          echo "projects=$project_folders" >> "$GITHUB_OUTPUT"
+          {
+            echo "base_node=$base_node_folders"
+            echo "languages=$language_folders"
+            echo "projects=$project_folders"
+          } >> "$GITHUB_OUTPUT"
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
     with:
@@ -36,9 +41,25 @@ jobs:
       container_name: base
       base_folder: "."
       NO_CACHE: ${{ inputs.NO_CACHE }}
+  package_base_node_images:
+    needs:
+      - package_base_docker_image
+      - discover_folders
+    strategy:
+      fail-fast: false
+      matrix:
+            container_name: ${{ fromJson(needs.discover_folders.outputs.base_node_folders) }}
+    uses: ./.github/workflows/build_multi_arch_image.yml
+    with:
+      tag_latest: ${{ inputs.tag_latest }}
+      docker_tag: ${{ inputs.docker_tag }}
+      container_name: ${{ matrix.container_name }}
+      base_folder: "base_node"
+      NO_CACHE: ${{ inputs.NO_CACHE }}
   package_language_docker_images:
     needs:
       - package_base_docker_image
+      - package_base_node_images
       - discover_folders
     strategy:
       fail-fast: false
@@ -54,7 +75,6 @@ jobs:
   package_project_docker_images:
     needs:
       - package_language_docker_images
-
       - discover_folders
     strategy:
       fail-fast: false

.github/workflows/build_multi_arch_image.yml

@@ -72,17 +72,6 @@ jobs:
         run: |
           echo "Building image..."
           make build-image
-
-          echo "Creating combined trivy ignore file"
-          # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist
-          combined="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore_combined.yaml"
-          common="src/common/.trivyignore.yaml"
-          specific="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore.yaml"
-          echo "vulnerabilities:" > "$combined"
-          if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi
-          if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi
-          echo "Combined trivy ignore file created at $combined"
-
         env:
           ARCHITECTURE: '${{ matrix.arch }}'
           CONTAINER_NAME: '${{ inputs.container_name }}'
@@ -92,41 +81,33 @@ jobs:
           BASE_FOLDER: "${{ inputs.base_folder }}"
           NO_CACHE: '${{ inputs.NO_CACHE }}'
       - name: Check docker vulnerabilities - json output
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
-        with:
-          scan-type: "image"
-          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          severity: "CRITICAL,HIGH"
-          scanners: "vuln"
-          vuln-type: "os,library"
-          format: "json"
-          output: "scan_results_docker.json"
-          exit-code: "0"
-          trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml
+        run: |
+          make scan-image-json
+        env:
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_FOLDER: "${{ inputs.base_folder }}"
+          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
+          EXIT_CODE: 0
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         name: Upload scan results
         with:
           name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
-          path: scan_results_docker.json
-      - name: Check docker vulnerabilities - table output
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
-        with:
-          scan-type: "image"
-          image-ref:  "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          severity: "CRITICAL,HIGH"
-          scanners: "vuln"
-          vuln-type: "os,library"
-          format: "table"
-          output: "scan_results_docker.txt"
-          exit-code: "1"
-          trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml
+          path: .out/scan_results_docker.json
+      - name: Check docker vulnerabilities - json output
+        run: |
+          make scan-image-json
+        env:
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_FOLDER: "${{ inputs.base_folder }}"
+          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
+          EXIT_CODE: "1"
 
       - name: Show docker vulnerability output
         if: always()
         run: |
           echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
-          if [ -f scan_results_docker.txt ]; then
-            cat scan_results_docker.txt
+          if [ -f .out/scan_results_docker.txt ]; then
+            cat .out/scan_results_docker.txt
           fi
         env:
           ARCHITECTURE: '${{ matrix.arch }}'

Makefile

@@ -44,20 +44,23 @@ scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
 	common="src/common/.trivyignore.yaml"; \
 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
+	exit_code="$${EXIT_CODE:-1}"; \
 	echo "vulnerabilities:" > "$$combined"; \
 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
 	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
 	trivy image \
 		--severity HIGH,CRITICAL \
 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
 		--scanners vuln \
-		--exit-code 1 \
-		--format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
+		--exit-code "$$exit_code" \
+		--format table \
+		--output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 
 scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
 	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
 	common="src/common/.trivyignore.yaml"; \
 	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
+	exit_code="$${EXIT_CODE:-1}"; \
 	echo "vulnerabilities:" > "$$combined"; \
 	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
 	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi
@@ -66,7 +69,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
 		--severity HIGH,CRITICAL \
 		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
 		--scanners vuln \
-		--exit-code 1 \
+		--exit-code "$$exit_code" \
 		--format json \
 		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" 
 

README.md

@@ -132,16 +132,17 @@ It is important that
 - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions
 
 # Project structure
-We have 4 types of dev container. These are defined under src
+We have 5 types of dev container. These are defined under src
 
 `base` - this is the base image that all others are based on.   
-`languages` - this installs specific versions of node and python.   
+`base_node` - images that install node - most language projects rely on one of these
+`languages` - this installs specific versions of python - normally based off a node image   
 `projects` - this is used for projects where more customization is needed than just a base language image.   
 `githubactions` - this just takes an existing image and remaps vscode user to be 1001 so it can be used by github actions.   
 
 Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this
 
-Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder.
+Images under languages should point to a dockerfile under src/common or src/common_node_24 that is based off the base or node image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder.
 
 We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude all known vulnerabilities
 
@@ -180,6 +181,14 @@ CONTAINER_NAME=base \
   IMAGE_TAG=local-build \
   make build-image
 ``` 
+Base node 24 image
+```
+CONTAINER_NAME=node_24 \
+  BASE_VERSION_TAG=local-build \
+  BASE_FOLDER=base_node \
+  IMAGE_TAG=local-build \
+  make build-image
+```
 Language images
 ```
 CONTAINER_NAME=node_24_python_3_14 \
@@ -212,6 +221,13 @@ CONTAINER_NAME=base \
   IMAGE_TAG=local-build \
   make scan-image
 ```
+Base node 24 image
+```
+CONTAINER_NAME=node_24 \
+  BASE_FOLDER=languages \
+  IMAGE_TAG=local-build \
+  make scan-image
+```
 Language images
 ```
 CONTAINER_NAME=node_24_python_3_12 \

src/base_node/node_24/.devcontainer/.tool-versions

@@ -0,0 +1 @@
+nodejs 24.13.0

src/base_node/node_24/.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+    "name": "EPS Devcontainer node_24",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "build": {
+      "dockerfile": "../../../common/Dockerfile",
+      "args": {
+        "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}",
+        "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}",
+        "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}",
+        "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
+      },
+      "context": "."
+    },
+    "features": {}
+  }
+  

src/base_node/node_24/.devcontainer/scripts/root_install.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -e
+export DEBIAN_FRONTEND=noninteractive
+
+# clean up
+apt-get clean
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

src/base_node/node_24/.devcontainer/scripts/vscode_install.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
+asdf install

src/base_node/node_24/.trivyignore.yaml

@@ -0,0 +1,27 @@
+vulnerabilities:
+  - id: CVE-2026-25547
+    statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"
+    purls:
+      - "pkg:npm/%40isaacs/brace-expansion@5.0.0"
+    expired_at: 2026-08-12
+  - id: CVE-2025-64756
+    statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames"
+    purls:
+      - "pkg:npm/glob@10.4.5"
+      - "pkg:npm/glob@11.0.3"
+    expired_at: 2026-08-12
+  - id: CVE-2026-23745
+    statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12
+  - id: CVE-2026-23950
+    statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12
+  - id: CVE-2026-24842
+    statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12

src/base_node/node_24/trivy.yaml

@@ -0,0 +1 @@
+ignorefile: "src/languages/node_24_python_3_12/.trivyignore_combined.yaml"