CCM-13343: Trivy Package and Library Scans

Author: jamesthompson26-nhs

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
-
+- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
 ---
 
 ## Sensitive Information Declaration

.github/workflows/cicd-1-pull-request.yaml

@@ -28,6 +28,7 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
@@ -66,6 +67,26 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
+      - name: "Determine if Trivy package scan should be skipped"
+        id: skip_trivy
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [[ -z "$PR_NUMBER" ]]; then
+            echo "No pull request detected; Trivy package scan will run."
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+          echo "Labels on PR #$PR_NUMBER: $labels"
+
+          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+          else
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+          fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -89,6 +110,7 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
+      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit

.github/workflows/stage-1-commit.yaml

@@ -23,6 +23,10 @@ on:
         description: "Python version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      skip_trivy_package:
+        description: "Skip Trivy package scan when true"
+        type: boolean
+        default: false
       terraform_version:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
@@ -172,6 +176,7 @@ jobs:
       - name: "Trivy IaC Scan"
         uses: ./.github/actions/trivy-iac
   trivy-package:
+    if: ${{ !inputs.skip_trivy_package }}
     name: "Trivy Package Scan"
     permissions:
       contents: read