Chore: [AEA-0000] - Verify trivy installation#64
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
There was a problem hiding this comment.
Pull request overview
This PR updates the devcontainer/tooling setup to ensure Trivy is installed and available for image scanning, moving away from asdf-managed Trivy and adding signed-binary verification steps.
Changes:
- Add scripts to install and verify
cosignandtrivy, and embed Trivy into devcontainer images. - Update CI to provision Trivy via a Docker build output instead of
aquasecurity/setup-trivy. - Refresh various tooling versions and extend Trivy ignore lists for a new gRPC CVE.
Reviewed changes
Copilot reviewed 20 out of 22 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| src/projects/regression_tests/.devcontainer/scripts/root_install.sh | Adds Chrome installation during regression test container build. |
| src/projects/regression_tests/.devcontainer/.tool-versions | Bumps Allure version. |
| src/projects/eps-storage-terraform/.trivyignore.yaml | Adds CVE ignore entry for gRPC-Go. |
| src/common/.trivyignore.yaml | Adds CVE ignore entry for gRPC-Go in shared ignore config. |
| src/base/.devcontainer/scripts/install_trivy.sh | New Trivy installer with Sigstore verification. |
| src/base/.devcontainer/scripts/install_cosign.sh | New Cosign installer with signature verification flow. |
| src/base/.devcontainer/Dockerfile.trivy.arm64 | New arm64 Trivy “builder/exporter” Dockerfile for CI. |
| src/base/.devcontainer/Dockerfile.trivy.amd64 | New amd64 Trivy “builder/exporter” Dockerfile for CI. |
| src/base/.devcontainer/Dockerfile | Builds Trivy in a build stage and copies it into the base devcontainer image. |
| src/base/.devcontainer/.tool-versions | Removes Trivy from asdf tool list for base container. |
| package.json | Bumps @devcontainers/cli version. |
| package-lock.json | Lockfile update for @devcontainers/cli bump. |
| Makefile | Adds .PHONY list and removes github-login target. |
| .tool-versions | Removes Trivy from repo-level asdf tool list. |
| .gitignore | Ignores .trivy_out/. |
| .github/workflows/release.yml | Updates referenced eps-common-workflows commit. |
| .github/workflows/pull_request.yml | Updates referenced eps-common-workflows commit. |
| .github/workflows/ci.yml | Updates referenced eps-common-workflows commit. |
| .github/workflows/build_multi_arch_image.yml | Replaces setup-trivy action with Docker-based Trivy provisioning. |
| .github/workflows/build_all_images.yml | Minor formatting tweak (blank line). |
| .devcontainer/devcontainer.json | Adds host .gitconfig bind mount into devcontainer. |
| .devcontainer/Dockerfile | Builds Trivy in a build stage and adjusts PATH setup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/projects/regression_tests/.devcontainer/scripts/root_install.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 13 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,9 @@ | |||
| FROM alpine:3.23.3 AS build | |||
| ARG TARGETARCH | |||
There was a problem hiding this comment.
ARG TARGETARCH is declared but never used in this Dockerfile. Consider removing it to avoid confusion/warnings, or use it to validate the expected architecture for the downloaded Trivy binary.
| ARG TARGETARCH |
| @@ -0,0 +1,9 @@ | |||
| FROM alpine:3.23.3 AS build | |||
| ARG TARGETARCH | |||
There was a problem hiding this comment.
ARG TARGETARCH is declared but never used in this Dockerfile. Consider removing it to avoid confusion/warnings, or use it to validate the expected architecture for the downloaded Trivy binary.
| ARG TARGETARCH |
| FROM alpine:3.23.3 AS build | ||
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh |
There was a problem hiding this comment.
This build stage runs /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. To make the build independent of the git file mode, either copy it with --chmod=755 or invoke it via bash /tmp/install_trivy.sh.
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | |
| COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh |
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh |
There was a problem hiding this comment.
This build stage runs /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. To make the build independent of the git file mode, either copy it with --chmod=755 or invoke it via bash /tmp/install_trivy.sh.
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh | |
| RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 bash /tmp/install_trivy.sh |
| FROM alpine:3.23.3 AS build | ||
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh |
There was a problem hiding this comment.
This stage executes /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. Consider using COPY --chmod=755 ... (or calling bash /tmp/install_trivy.sh) so the build doesn’t rely on the script’s executable bit in git.
| FROM alpine:3.23.3 AS build | ||
| ARG TARGETARCH | ||
| RUN apk add --no-cache cosign bash curl jq | ||
| COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh | ||
| RUN case "${TARGETARCH}" in \ | ||
| x86_64|amd64) TRIVY_ARCH=64bit ;; \ | ||
| aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ | ||
| *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ | ||
| esac \ | ||
| && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh |
There was a problem hiding this comment.
This stage executes /tmp/install_trivy.sh directly, but the preceding COPY doesn’t set executable permissions. Consider using COPY --chmod=755 ... (or calling bash /tmp/install_trivy.sh) so the build doesn’t rely on the script’s executable bit in git.
|
|
||
| DEFAULT_INSTALL_DIR="/usr/local/bin" | ||
| INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" | ||
| VERSION="v0.69.3" |
There was a problem hiding this comment.
The script advertises VERSION as an overridable environment variable, but VERSION is currently hard-coded (so VERSION=... ./install_trivy.sh will be ignored). Update the assignment to default from the environment so the help text matches behavior, and ensure RELEASE_NUMBER/BASE_URL derive from the overridden value.
| VERSION="v0.69.3" | |
| VERSION="${VERSION:-v0.69.3}" |
Summary
Details