Merge branch 'main' into dependabot/github_actions/docker/build-push-…

…action-6.9.0
ministryofjustice · Oct 7, 2024 · c9e35c4 · c9e35c4
2 parents 0822f79 + fe96c91
commit c9e35c4
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 5 deletions.
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -19,4 +19,4 @@
       "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
     }
   }
-}
+}
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -31,6 +31,9 @@ jobs:
       - name: Scan
         id: scan
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
         with:
           image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
           severity: HIGH,CRITICAL

diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,6 @@
+# Ubuntu
+CVE-2024-43882
+
 # Python
 ## setuptools
 CVE-2024-6345 # TODO: @jacobwoffenden - Figure out where this comes from and patch it

diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
-FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:cd9fdb57437707322896c33655c02e6ae10e114615b206713c899281cdb71153
+FROM ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-base@sha256:9ef99705307856126bef61285965f0c5aed6f4525bb69586ac1fad23a7728827
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform ([email protected])" \
       org.opencontainers.image.title="Visual Studio Code" \
       org.opencontainers.image.description="Visual Studio Code image for Analytical Platform" \
       org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-visual-studio-code"
 
-ENV VISUAL_STUDIO_CODE_VERSION="1.93.1-1726079302"
+ENV VISUAL_STUDIO_CODE_VERSION="1.94.0-1727878498"
 
 SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 

diff --git a/Makefile b/Makefile
@@ -1,14 +1,20 @@
-.PHONY: test build run
+.PHONY: build scan test run
 
 IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-visual-studio-code
 IMAGE_TAG  ?= local
 
+TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2
+TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1
+
 run: build
 	docker run --rm -it --publish 8080:8080 $(IMAGE_NAME):$(IMAGE_TAG)
 
 test: build
 	container-structure-test test --platform linux/amd64 --config test/container-structure-test.yml --image $(IMAGE_NAME):$(IMAGE_TAG)
 
+scan: build
+	trivy image --platform linux/amd64 --severity HIGH,CRITICAL $(IMAGE_NAME):$(IMAGE_TAG)
+
 build:
 	@ARCH=`uname --machine`; \
 	case $$ARCH in \

diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml
@@ -8,9 +8,17 @@ commandTests:
   - name: "code"
     command: "code"
     args: ["--version"]
-    expectedOutput: ["1.93.1"]
+    expectedOutput: ["1.94.0"]
 
 fileExistenceTests:
   - name: "/opt/analytical-platform/first-run-notice.txt"
     path: "/opt/analytical-platform/first-run-notice.txt"
     shouldExist: true
+
+  - name: "/usr/local/bin/entrypoint.sh"
+    path: "/usr/local/bin/entrypoint.sh"
+    shouldExist: true
+
+  - name: "/usr/local/bin/healthcheck.sh"
+    path: "/usr/local/bin/healthcheck.sh"
+    shouldExist: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,4 +19,4 @@ @@
           "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
         }
       }
-    }
+    }