-
Notifications
You must be signed in to change notification settings - Fork 0
Chore: [AEA-6413] - Verify trivy installation #64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 9 commits
e2f228d
ddbe311
d0be713
fa65932
890ce6c
906f8a0
3a69e97
3f0575b
6af21f1
b471edb
1a64425
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,15 @@ | ||
| FROM alpine:3.23.3 AS build | ||
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh | ||
|
Comment on lines
+1
to
+10
|
||
|
|
||
|
|
||
| FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 | ||
| ARG TARGETARCH | ||
| ENV TARGETARCH=${TARGETARCH} | ||
|
|
@@ -64,11 +76,13 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ | |
| chmod 755 /usr/share/secrets-scanner && \ | ||
| curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt | ||
|
|
||
| COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy | ||
|
|
||
| USER vscode | ||
|
|
||
| ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" | ||
| ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" | ||
| RUN \ | ||
| echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ | ||
| echo 'PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ | ||
| echo '. <(asdf completion bash)' >> ~/.bashrc; \ | ||
| echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \ | ||
| echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \ | ||
|
|
@@ -82,9 +96,7 @@ RUN asdf plugin add python; \ | |
| asdf plugin add direnv; \ | ||
| asdf plugin add actionlint; \ | ||
| asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \ | ||
| asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \ | ||
| asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git | ||
|
|
||
| asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; | ||
|
|
||
| WORKDIR /workspaces/eps-devcontainers | ||
| COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,3 +4,4 @@ src/base/.devcontainer/language_versions/ | |
| .trivyignore_combined.yaml | ||
| .out/ | ||
| .envrc | ||
| .trivy_out/ | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,5 +5,4 @@ shellcheck 0.11.0 | |
| direnv 2.37.1 | ||
| actionlint 1.7.10 | ||
| ruby 3.3.0 | ||
| trivy 0.69.3 | ||
| yq 4.52.2 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,5 +2,4 @@ shellcheck 0.11.0 | |
| direnv 2.37.1 | ||
| actionlint 1.7.11 | ||
| ruby 3.3.0 | ||
| trivy 0.69.3 | ||
| yq 4.52.4 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,14 @@ | ||
| FROM alpine:3.23.3 AS build | ||
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh | ||
|
Comment on lines
+1
to
+10
|
||
|
|
||
| FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 | ||
|
|
||
| ARG SCRIPTS_DIR=/usr/local/share/eps | ||
|
|
@@ -16,6 +27,8 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk | |
| WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} | ||
| RUN ./root_install.sh | ||
|
|
||
| COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy | ||
|
|
||
| COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh | ||
| USER vscode | ||
| COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,9 @@ | ||||||
| FROM alpine:3.23.3 AS build | ||||||
| ARG TARGETARCH | ||||||
|
||||||
| ARG TARGETARCH |
Copilot
AI
Mar 22, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This build stage runs /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. To make the build independent of the git file mode, either copy it with --chmod=755 or invoke it via bash /tmp/install_trivy.sh.
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | |
| COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,9 @@ | ||||||
| FROM alpine:3.23.3 AS build | ||||||
| ARG TARGETARCH | ||||||
|
||||||
| ARG TARGETARCH |
Copilot
AI
Mar 22, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This build stage runs /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. To make the build independent of the git file mode, either copy it with --chmod=755 or invoke it via bash /tmp/install_trivy.sh.
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh | |
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 bash /tmp/install_trivy.sh |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,62 @@ | ||||||||||||||||||||||||||||||||||
| #!/usr/bin/env bash | ||||||||||||||||||||||||||||||||||
| set -euo pipefail | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| DEFAULT_INSTALL_DIR="/usr/local/bin" | ||||||||||||||||||||||||||||||||||
| INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" | ||||||||||||||||||||||||||||||||||
| VERSION="v0.69.3" | ||||||||||||||||||||||||||||||||||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||||||||||||||||||||||||||||||||||
| DEFAULT_ARCH="64bit" | ||||||||||||||||||||||||||||||||||
| ARCH="${ARCH:-$DEFAULT_ARCH}" | ||||||||||||||||||||||||||||||||||
| RELEASE_NUMBER="${VERSION#v}" | ||||||||||||||||||||||||||||||||||
| BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}" | ||||||||||||||||||||||||||||||||||
| ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz" | ||||||||||||||||||||||||||||||||||
| BUNDLE="${ARCHIVE}.sigstore.json" | ||||||||||||||||||||||||||||||||||
| CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}" | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| usage() { | ||||||||||||||||||||||||||||||||||
| cat <<'EOF' | ||||||||||||||||||||||||||||||||||
| Usage: install_trivy.sh [output_dir] | ||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||
| Downloads Trivy, its sigstore bundle, and checksum into output_dir (default: current directory), | ||||||||||||||||||||||||||||||||||
| then verifies the checksum and the sigstore bundle, following | ||||||||||||||||||||||||||||||||||
| https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md. | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
| Usage: install_trivy.sh [output_dir] | |
| Downloads Trivy, its sigstore bundle, and checksum into output_dir (default: current directory), | |
| then verifies the checksum and the sigstore bundle, following | |
| https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md. | |
| Usage: install_trivy.sh | |
| Downloads the Trivy archive and its sigstore bundle to a temporary directory, | |
| verifies the sigstore bundle following | |
| https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md, | |
| and installs the trivy binary into INSTALL_DIR (default: /usr/local/bin). | |
| Environment variables: | |
| INSTALL_DIR Directory to install the trivy binary into (default: /usr/local/bin) | |
| VERSION Trivy version tag to install (default: v0.69.3) | |
| ARCH Architecture suffix used in the download (default: 64bit) |
Copilot
AI
Mar 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sha256sum is checked as a required dependency, but the script never uses it. This makes the installer fail unnecessarily on minimal images; either remove it from the dependency check or add the missing checksum verification step.
Uh oh!
There was an error while loading. Please reload this page.