NHSDigital
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 1 addition & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/actions/trivy-iac/action.yaml‎
Lines changed: 18 additions & 0 deletions b/‎.github/actions/trivy-iac/action.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.github/actions/trivy-package/action.yaml‎
Lines changed: 16 additions & 0 deletions b/‎.github/actions/trivy-package/action.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/actions/trivy/action.yaml‎
Lines changed: 0 additions & 17 deletions b/‎.github/actions/trivy/action.yaml‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎.github/workflows/cicd-1-pull-request.yaml‎
Lines changed: 21 additions & 0 deletions b/‎.github/workflows/cicd-1-pull-request.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/workflows/stage-1-commit.yaml‎
Lines changed: 28 additions & 6 deletions b/‎.github/workflows/stage-1-commit.yaml‎
Lines changed: 28 additions & 6 deletions
diff --git a/‎.tool-versions‎
Lines changed: 2 additions & 2 deletions b/‎.tool-versions‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.trivyignore‎
Lines changed: 5 additions & 0 deletions b/‎.trivyignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/adr/assets/ADR-003/examples/golang/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎docs/adr/assets/ADR-003/examples/golang/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/architecture/c4/notifhir/printer/eventsfromprint/index.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/architecture/c4/notifhir/printer/eventsfromprint/index.md‎
Lines changed: 1 addition & 1 deletion
@@ -25,6 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
+- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
 
 ---
 
 
@@ -0,0 +1,18 @@
+name: "Trivy IaC Scan"
+description: "Scan Terraform IaC using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IaC Scan"
+      shell: bash
+      run: |
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi
@@ -0,0 +1,16 @@
+name: "Trivy Package Scan"
+description: "Scan project packages using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Package Scan"
+      shell: bash
+      run: |
+        exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+
+        if [ $exit_code -ne 0 ]; then
+          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+          exit 1
+        fi
@@ -33,6 +33,7 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
@@ -72,7 +73,26 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
+      - name: "Determine if Trivy package scan should be skipped"
+        id: skip_trivy
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [[ -z "$PR_NUMBER" ]]; then
+            echo "No pull request detected; Trivy package scan will run."
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
 
+          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+          echo "Labels on PR #$PR_NUMBER: $labels"
+
+          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+          else
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+          fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -96,6 +116,7 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
+      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
   #    secrets: inherit
 
@@ -23,6 +23,10 @@ on:
         description: "Python version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      skip_trivy_package:
+        description: "Skip Trivy package scan when true"
+        type: boolean
+        default: false
       terraform_version:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
@@ -146,21 +150,39 @@ jobs:
         uses: actions/checkout@v5
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  trivy:
-    name: "Trivy Scan"
+  trivy-iac:
+    name: "Trivy IaC Scan"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: "Setup ASDF"
         uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "Trivy Scan"
-        uses: ./.github/actions/trivy
+      - name: "Trivy IaC Scan"
+        uses: ./.github/actions/trivy-iac
+  trivy-package:
+    if: ${{ !inputs.skip_trivy_package }}
+    name: "Trivy Package Scan"
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
+      - name: "Perform Setup"
+        uses: ./.github/actions/setup
+      - name: "Trivy Package Scan"
+        uses: ./.github/actions/trivy-package
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest
 
@@ -14,8 +14,8 @@ vale 3.6.0
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33  # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6  # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/anchore/grype v0.104.3@sha256:d340f4f8b3b7e6e72a6c9c0152f25402ed8a2d7375dba1dfce4e53115242feb6  # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.39.0@sha256:6f13bb010923c33fb197047c8f88888e77071bd32596b3f605d62a133e493ce4 # SEE: https://github.com/anchore/syft/pkgs/container/syft
 # docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 
@@ -0,0 +1,5 @@
+# Remove after resolution as part of https://nhsd-jira.digital.nhs.uk/browse/CCM-13690
+CVE-2021-4279 # https://avd.aquasec.com/nvd/cve-2021-4279 ## latest ajv-cli (5.0.0) installs old version of fast-json-patch
+CVE-2024-49761 # https://avd.aquasec.com/nvd/cve-2024-49761 ## latest Jekyll Webpack (0.2.7) installs old version of rexml
+CVE-2024-47220 # https://avd.aquasec.com/nvd/cve-2024-47220 ## latest lint_roller (1.1.0) installs old version of rexml
+CVE-2024-7254 # https://avd.aquasec.com/nvd/cve-2024-7254 ## latest Jekyll Webpack (0.2.7) installs old version of google-protobuf
@@ -5,7 +5,7 @@ toolchain go1.24.1
 
 require (
 	github.com/go-resty/resty/v2 v2.7.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt v5.3.0+incompatible
 )
 
 require golang.org/x/net v0.38.0 // indirect
@@ -2,7 +2,7 @@
 
 title: Events from Supplier API
 parent:  Print Supplier Services
-nav_order: 9
+nav_order: 4
 has_children: true
 is_not_draft: false
 last_modified_date: 2025-12-12
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ toolchain go1.24.1`
`5`	`5`
`6`	`6`	`require (`
`7`	`7`	`github.com/go-resty/resty/v2 v2.7.0`
`8`		`- github.com/golang-jwt/jwt v3.2.2+incompatible`
	`8`	`+ github.com/golang-jwt/jwt v5.3.0+incompatible`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`require golang.org/x/net v0.38.0 // indirect`