-
Notifications
You must be signed in to change notification settings - Fork 0
Chore: [AEA-6413] - Verify trivy installation #64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 1 commit
e2f228d
ddbe311
d0be713
fa65932
890ce6c
906f8a0
3a69e97
3f0575b
6af21f1
b471edb
1a64425
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,20 @@ | ||
| FROM golang:1.26.1-bookworm AS build | ||
| ARG TARGETARCH | ||
| RUN apt-get update && apt-get install -y \ | ||
| jq \ | ||
| && apt-get clean \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
| COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh | ||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh | ||
|
anthony-nhs marked this conversation as resolved.
Comment on lines
+1
to
+10
|
||
|
|
||
|
|
||
| FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 | ||
| ARG TARGETARCH | ||
| ENV TARGETARCH=${TARGETARCH} | ||
|
|
@@ -64,11 +81,13 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ | |
| chmod 755 /usr/share/secrets-scanner && \ | ||
| curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt | ||
|
|
||
| COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy | ||
|
|
||
| USER vscode | ||
|
|
||
| ENV PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" | ||
| ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" | ||
| RUN \ | ||
| echo 'PATH="/home/vscode/.asdf/shims/:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ | ||
| echo 'PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"' >> ~/.bashrc; \ | ||
| echo '. <(asdf completion bash)' >> ~/.bashrc; \ | ||
| echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc; \ | ||
| echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc; \ | ||
|
|
@@ -83,8 +102,7 @@ RUN asdf plugin add python; \ | |
| asdf plugin add actionlint; \ | ||
| asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git; \ | ||
| asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git; \ | ||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
| asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git | ||
|
|
||
| asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git; | ||
|
|
||
| WORKDIR /workspaces/eps-devcontainers | ||
| COPY .tool-versions /workspaces/eps-devcontainers/.tool-versions | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,3 +4,4 @@ src/base/.devcontainer/language_versions/ | |
| .trivyignore_combined.yaml | ||
| .out/ | ||
| .envrc | ||
| .trivy_out/ | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,5 +5,4 @@ shellcheck 0.11.0 | |
| direnv 2.37.1 | ||
| actionlint 1.7.10 | ||
| ruby 3.3.0 | ||
| trivy 0.69.3 | ||
| yq 4.52.2 | ||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,5 +2,4 @@ shellcheck 0.11.0 | |
| direnv 2.37.1 | ||
| actionlint 1.7.11 | ||
| ruby 3.3.0 | ||
| trivy 0.69.3 | ||
| yq 4.52.4 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,19 @@ | ||
| FROM golang:1.26.1-bookworm AS build | ||
| ARG TARGETARCH | ||
| RUN apt-get update && apt-get install -y \ | ||
| jq \ | ||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
| && apt-get clean \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
| COPY scripts/install_cosign.sh /tmp/install_cosign.sh | ||
| COPY scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh | ||
|
Comment on lines
+1
to
+10
|
||
|
|
||
| FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 | ||
|
|
||
| ARG SCRIPTS_DIR=/usr/local/share/eps | ||
|
|
@@ -16,6 +32,8 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk | |
| WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} | ||
| RUN ./root_install.sh | ||
|
|
||
| COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy | ||
|
|
||
| COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh | ||
| USER vscode | ||
| COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,13 @@ | ||||||
| FROM golang:1.26.1-bookworm AS build | ||||||
| RUN apt-get update && apt-get install -y \ | ||||||
| jq \ | ||||||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||||||
| && apt-get clean \ | ||||||
| && rm -rf /var/lib/apt/lists/* | ||||||
| COPY src/base/.devcontainer/scripts/install_cosign.sh /tmp/install_cosign.sh | ||||||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | ||||||
|
||||||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | |
| COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,13 @@ | ||||||
| FROM golang:1.26.1-bookworm AS build | ||||||
| RUN apt-get update && apt-get install -y \ | ||||||
| jq \ | ||||||
| && apt-get clean \ | ||||||
| && rm -rf /var/lib/apt/lists/* | ||||||
| COPY scripts/install_cosign.sh /tmp/install_cosign.sh | ||||||
| COPY scripts/install_trivy.sh /tmp/install_trivy.sh | ||||||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||||||
| RUN INSTALL_DIR=/usr/local/bin /tmp/install_cosign.sh | ||||||
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh | ||||||
|
||||||
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh | |
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 bash /tmp/install_trivy.sh |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
|
|
||
| DEFAULT_INSTALL_DIR="/usr/local/bin" | ||
| INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" | ||
| REQUESTED_VERSION="${1:-latest}" | ||
| OS="$(uname -s)" | ||
| ARCH="$(uname -m)" | ||
| API_URL="https://api.github.com/repos/sigstore/cosign/releases" | ||
|
|
||
| usage() { | ||
| cat <<'EOF' | ||
| Usage: install_cosign.sh [version] | ||
|
|
||
| Downloads the requested cosign release (default: latest) for Linux amd64, verifies | ||
| its signature, and installs it into $INSTALL_DIR (override via INSTALL_DIR env var). | ||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
| EOF | ||
| } | ||
|
|
||
| if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then | ||
| usage | ||
| exit 0 | ||
| fi | ||
|
|
||
| if [[ "$OS" != "Linux" ]]; then | ||
| echo "Error: This installer currently supports Linux only" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| case "$ARCH" in | ||
| x86_64|amd64) | ||
| BINARY_NAME="cosign-linux-amd64" | ||
| ;; | ||
| aarch64|arm64) | ||
| BINARY_NAME="cosign-linux-arm64" | ||
| ;; | ||
| *) | ||
| echo "Error: Unsupported architecture $ARCH" >&2 | ||
| exit 1 | ||
| ;; | ||
| esac | ||
|
|
||
| for cmd in curl openssl install go jq; do | ||
| if ! command -v "$cmd" >/dev/null 2>&1; then | ||
| echo "Error: $cmd is required but not found in PATH" >&2 | ||
| exit 1 | ||
| fi | ||
| done | ||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
|
|
||
| get_latest_tag() { | ||
| local response | ||
| response="$(curl -fsSL "$API_URL/latest")" | ||
| awk -F'"' '/tag_name/ {print $4; exit}' <<<"$response" | ||
| } | ||
|
|
||
| VERSION="$REQUESTED_VERSION" | ||
| if [[ "$VERSION" == "latest" ]]; then | ||
| VERSION="$(get_latest_tag)" | ||
| fi | ||
|
|
||
| if [[ -z "$VERSION" ]]; then | ||
| echo "Error: Unable to determine cosign version" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| BASE_URL="https://github.com/sigstore/cosign/releases/download/${VERSION}" | ||
| TMP_DIR="$(mktemp -d)" | ||
| trap 'rm -rf "$TMP_DIR"' EXIT | ||
|
|
||
| download() { | ||
| local url="${1}" dest="${2}" | ||
| echo "Downloading ${dest} ..." | ||
| curl -fsSL "${url}" -o "${dest}" | ||
| } | ||
|
|
||
| BIN_PATH="$TMP_DIR/${BINARY_NAME}" | ||
| SIGSTORE_PATH="$TMP_DIR/${BINARY_NAME}-kms.sigstore.json" | ||
| ARTIFACT_PATH="$TMP_DIR/artifact.pub" | ||
| DECODED_SIGSTORE_PATH="$TMP_DIR/cosign-kms.sig.decoded" | ||
|
|
||
| download "${BASE_URL}/${BINARY_NAME}" "$BIN_PATH" | ||
| download "${BASE_URL}/${BINARY_NAME}-kms.sigstore.json" "$SIGSTORE_PATH" | ||
|
|
||
| # install tuf-client | ||
| go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest | ||
|
|
||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
| # setup tuf-client | ||
| SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json" | ||
| curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json | ||
|
anthony-nhs marked this conversation as resolved.
Outdated
|
||
| tuf-client init https://tuf-repo-cdn.sigstore.dev "$SIGSTORE_ROOT_PATH" | ||
|
|
||
| tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > "$ARTIFACT_PATH" | ||
|
|
||
| cat "$SIGSTORE_PATH" | jq -r .messageSignature.signature | base64 -d > "$DECODED_SIGSTORE_PATH" | ||
| pushd "$TMP_DIR" >/dev/null | ||
| echo "verifying signature with artifact.pub" | ||
| openssl dgst -sha256 -verify "$ARTIFACT_PATH" -signature "$DECODED_SIGSTORE_PATH" "$BIN_PATH" | ||
| popd >/dev/null | ||
|
|
||
| echo "verifying signature with cosign verify-blob" | ||
| chmod +x "$BIN_PATH" | ||
| ${BIN_PATH} verify-blob --bundle "${SIGSTORE_PATH}" --key "$ARTIFACT_PATH" "$BIN_PATH" | ||
|
|
||
| mkdir -p "$INSTALL_DIR" | ||
| install -m 0755 "$BIN_PATH" "${INSTALL_DIR}/cosign" | ||
|
|
||
| "${INSTALL_DIR}/cosign" version | ||
|
|
||
| echo "cosign ${VERSION} installed to ${INSTALL_DIR}" | ||
Uh oh!
There was an error while loading. Please reload this page.