build trivy another way

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -74,7 +74,9 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
     mkdir -p /usr/share/secrets-scanner && \
     chmod 755 /usr/share/secrets-scanner && \
     curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
-COPY --from=build /tmp/trivy_amd64/trivy /usr/local/bin/trivy
+
+COPY --from=build /tmp/trivy_${TARGETARCH}/trivy /usr/local/bin/trivy
+
 USER vscode
 
 ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"

.github/workflows/build_all_images.yml

@@ -33,40 +33,9 @@ jobs:
             echo "node_24_languages=$node_24_language_folders"
             echo "projects=$project_folders"
           } >> "$GITHUB_OUTPUT"
-  download_trivy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      - name: Install cosign
-        run: |
-          ./scripts/install_cosign.sh
-        env:
-          INSTALL_DIR: ${HOME}/.local/bin
-      - name: Get amd64 trivy
-        run: |
-          ./scripts/install_trivy.sh
-        env:
-          INSTALL_DIR: trivy_amd64
-          ARCH: 64bit
-      - name: Get arm64 trivy
-        run: |
-          ./scripts/install_trivy.sh
-        env:
-          INSTALL_DIR: trivy_arm64
-          ARCH: ARM64
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-        name: Upload trivy
-        with:
-          name: "trivy"
-          path: |
-            trivy_amd64/trivy
-            trivy_arm64/trivy
 
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
-    needs: [
-      download_trivy
-    ]
     with:
       tag_latest: ${{ inputs.tag_latest }}
       docker_tag: ${{ inputs.docker_tag }}

.github/workflows/build_multi_arch_image.yml

@@ -63,14 +63,11 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
-      - name: Download trivy
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
-        with:
-          name: trivy
       - name: setup trivy
         run: |
-          sudo cp "trivy/trivy_${ARCH}/trivy" /usr/local/bin/
-          chmod +x /usr/local/bin/trivy
+           docker build  --output=/usr/local/bin/ -f "src/trivy/Dockerfile.${ARCH}" .
+        env:
+          ARCH: '${{ matrix.arch }}'
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:

.devcontainer/Dockerfile.test src/trivy/Dockerfile.amd64.devcontainer/Dockerfile.test renamed to src/trivy/Dockerfile.amd64

@@ -1,10 +1,13 @@
-FROM golang:1.26.1-bookworm
+FROM golang:1.26.1-bookworm AS build
 RUN apt-get update && apt-get install -y \
     jq \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 COPY scripts/install_cosign.sh /tmp/install_cosign.sh
 COPY scripts/install_trivy.sh /tmp/install_trivy.sh
 RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
-RUN INSTALL_DIR=trivy_arm64 ARCH=ARM64 /tmp/install_trivy.sh
-RUN INSTALL_DIR=trivy_amd64 ARCH=64bit /tmp/install_trivy.sh
+RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh
+
+FROM scratch
+COPY --from=build /tmp/trivy/trivy /
+ENTRYPOINT ["/trivy"]

src/trivy/Dockerfile.arm64

@@ -0,0 +1,13 @@
+FROM golang:1.26.1-bookworm AS build
+RUN apt-get update && apt-get install -y \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+COPY scripts/install_cosign.sh /tmp/install_cosign.sh
+COPY scripts/install_trivy.sh /tmp/install_trivy.sh
+RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh
+RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh
+
+FROM scratch
+COPY --from=build /tmp/trivy/trivy /
+ENTRYPOINT ["/trivy"]