Skip to content

Commit 5a1ee33

Browse files
anthony-nhsanthony-nhs
authored
Fix: [AEA-0000] - fix scan check (#147)
## Summary - Routine Change ### Details - check extended scan results
1 parent 5156421 commit 5a1ee33

File tree

7 files changed

+51
-18
lines changed

7 files changed

+51
-18
lines changed

.github/scripts/check_ecr_image_scan_results.sh

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
#!/bin/bash
1+
#!/usr/bin/env bash
2+
set -e
23

34
if [ -z "${REPOSITORY_NAME}" ]; then
45
echo "REPOSITORY_NAME not set"
@@ -17,12 +18,14 @@ function wait_for_scan() {
1718
echo "SCAN IS NOT YET COMPLETE..."
1819
sleep 3
1920
done
21+
echo "Final sleep to ensure findings are shown correctly"
22+
sleep 60
2023
}
2124

2225
function check_for_high_critical_vuln() {
2326
scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}")
24-
high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH)
25-
critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL)
27+
high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")')
28+
critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")')
2629
}
2730

2831
function return_scan_results() {
@@ -35,20 +38,31 @@ function return_error() {
3538
echo -e "\n**********************************************************"
3639
echo "**********************************************************"
3740
echo "**********************************************************"
38-
echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build."
41+
echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build."
3942
echo "**********************************************************"
4043
echo "**********************************************************"
4144
echo "**********************************************************"
4245
exit 2
4346
}
4447

4548
function analyze_scan_results() {
46-
if [[ $critical -gt 0 ]]; then
47-
echo "ERROR: There are CRITICAL vulnerabilties. Stopping build."
49+
if [[ -n "$critical" ]]; then
50+
echo "ERROR: There are CRITICAL vulnerabilities. Stopping build."
51+
52+
echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ==="
53+
echo "$critical"
54+
echo "=== END CRITICAL IMAGE SCAN RESULTS ==="
55+
4856
return_scan_results
57+
4958
return_error
50-
elif [[ $high -gt 0 ]]; then
51-
echo "ERROR: There are HIGH vulnerabilties. Stopping build."
59+
elif [[ -n "$high" ]]; then
60+
echo "ERROR: There are HIGH vulnerabilities. Stopping build."
61+
62+
echo "=== BEGIN HIGH IMAGE SCAN RESULTS ==="
63+
echo "$high"
64+
echo "=== END HIGH IMAGE SCAN RESULTS ==="
65+
5266
return_scan_results
5367
return_error
5468
else

.github/workflows/ci.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,7 @@ jobs:
136136
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
137137
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
138138
TAG_LATEST: true
139+
DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
139140
secrets:
140141
CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }}
141142

@@ -153,6 +154,7 @@ jobs:
153154
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
154155
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
155156
TAG_LATEST: true
157+
DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
156158
secrets:
157159
CDK_PUSH_IMAGE_ROLE: ${{ secrets.QA_CDK_PUSH_IMAGE_ROLE }}
158160

@@ -170,6 +172,7 @@ jobs:
170172
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
171173
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
172174
TAG_LATEST: true
175+
DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
173176
secrets:
174177
CDK_PUSH_IMAGE_ROLE: ${{ secrets.REF_CDK_PUSH_IMAGE_ROLE }}
175178

@@ -187,6 +190,7 @@ jobs:
187190
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
188191
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
189192
TAG_LATEST: true
193+
DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
190194
secrets:
191195
CDK_PUSH_IMAGE_ROLE: ${{ secrets.INT_CDK_PUSH_IMAGE_ROLE }}
192196

@@ -204,5 +208,6 @@ jobs:
204208
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
205209
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
206210
TAG_LATEST: true
211+
DOCKER_IMAGE_TAG: ${{needs.tag_release.outputs.version_tag}}
207212
secrets:
208213
CDK_PUSH_IMAGE_ROLE: ${{ secrets.PROD_CDK_PUSH_IMAGE_ROLE }}

.github/workflows/docker_image_upload.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ on:
1515
TAG_LATEST:
1616
required: true
1717
type: boolean
18+
DOCKER_IMAGE_TAG:
19+
required: true
20+
type: string
1821
secrets:
1922
CDK_PUSH_IMAGE_ROLE:
2023
required: true
@@ -65,8 +68,8 @@ jobs:
6568
6669
- name: Push tagged version cdk-utils-build to Amazon ECR
6770
run: |
68-
docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}"
69-
docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.VERSION_NUMBER }}"
71+
docker tag "cdk-utils-build:${{ inputs.VERSION_NUMBER }}" "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}"
72+
docker push "${{ env.ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:${{ inputs.DOCKER_IMAGE_TAG }}"
7073
7174
- name: Push latest cdk-utils-build to Amazon ECR
7275
if: ${{ inputs.TAG_LATEST == true }}
@@ -77,7 +80,7 @@ jobs:
7780
- name: Check cdk-utils-build scan results
7881
env:
7982
REPOSITORY_NAME: cdk-utils-build-repo
80-
IMAGE_TAG: ${{ inputs.VERSION_NUMBER }}
83+
IMAGE_TAG: ${{ inputs.DOCKER_IMAGE_TAG }}
8184
working-directory: .github/scripts
8285
run: |
8386
./check_ecr_image_scan_results.sh

.github/workflows/pull_request.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,11 +46,18 @@ jobs:
4646
runs-on: ubuntu-22.04
4747
outputs:
4848
commit_id: ${{ steps.commit_id.outputs.commit_id }}
49+
sha_short: ${{ steps.commit_id.outputs.sha_short }}
4950
steps:
51+
- name: Checkout code
52+
uses: actions/checkout@v4
53+
with:
54+
ref: ${{ env.BRANCH_NAME }}
55+
5056
- name: Get Commit ID
5157
id: commit_id
5258
run: |
5359
echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
60+
echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
5461
5562
package_code:
5663
needs: [get_issue_number, quality_checks, get_commit_id]
@@ -67,5 +74,6 @@ jobs:
6774
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
6875
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
6976
TAG_LATEST: false
77+
DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}
7078
secrets:
7179
CDK_PUSH_IMAGE_ROLE: ${{ secrets.DEV_CDK_PUSH_IMAGE_ROLE }}

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,4 +42,4 @@ repos:
4242
pass_filenames: false
4343

4444
fail_fast: true
45-
default_stages: [commit]
45+
default_stages: [pre-commit]

docker/Dockerfile

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,11 +32,13 @@ ENV PATH="$PATH:/home/cdkuser/.asdf/bin/:/home/cdkuser/node_modules/.bin"
3232
# Install ASDF plugins
3333
RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
3434
# install some common node versions that are used in builds to speed things up
35-
RUN asdf install nodejs 20.19.1
36-
RUN asdf install nodejs 23.9.0
37-
RUN asdf install nodejs 20.17.0
38-
RUN asdf install nodejs 20.19.0
39-
RUN asdf install nodejs 22.12.0
35+
RUN asdf install nodejs 20.19.1; \
36+
asdf install nodejs 23.9.0
37+
# update npm
38+
RUN export ASDF_DIR=/home/cdkuser/.asdf && \
39+
. /home/cdkuser/.asdf/asdf.sh && \
40+
asdf shell nodejs 20.19.1 && \
41+
cd ~/.asdf/installs/nodejs/20.19.1/lib && npm update npm
4042

4143
# copy files needed for deployment
4244
COPY --chown=cdkuser docker/entrypoint.sh /home/cdkuser/

pyproject.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ authors = [
1111
]
1212
readme = "README.md"
1313
repository = "https://github.com/NHSDigital/eps-cdk-util"
14+
package-mode = false
1415

1516
[tool.poetry.dependencies]
1617
python = "^3.12"
@@ -23,4 +24,4 @@ pip-licenses = "^5.0.0"
2324

2425
[build-system]
2526
requires = ["poetry>=1.8"]
26-
build-backend = "poetry.masonry.api"
27+
build-backend = "poetry.masonry.api"

0 commit comments

Comments
 (0)