Merge pull request #1552 from ministryofjustice/MLPAB-2599-apply-a-se…

…curity-standard-aquasecurity-and-or-cis-to-dockerfiles MLPAB-2599 - Apply a security standard to Dockerfiles
ministryofjustice · Oct 16, 2024 · 15608c9 · 15608c9
2 parents fa99e4d + 97f9ac6
commit 15608c9
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 3 deletions.
diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
@@ -36,18 +36,22 @@ jobs:
           - ecr_repository: modernising-lpa/app
             name: app
             path: ./docker/mlpa/Dockerfile
+            trivyignores: ./docker/mlpa/.trivyignore.yaml
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             name: create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
+            trivyignores: ./lambda/create_s3_replication_job/.trivyignore.yaml
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/event-received
             name: event-received
             path: ./docker/event-received/Dockerfile
+            trivyignores: ./docker/event-received/.trivyignore.yaml
             platforms: linux/amd64
           - ecr_repository: modernising-lpa/mock-pay
             name: mock-pay
             path: ./docker/mock-pay/Dockerfile
+            trivyignores: ./docker/mock-pay/.trivyignore.yaml
             platforms: linux/amd64
 
     runs-on: ubuntu-latest
@@ -88,6 +92,21 @@ jobs:
           mask-password: true
           registries: 311462405659
 
+      - name: Trivy Dockerfile Configuration Scanner for ${{ matrix.ecr_repository }}
+        id: trivy_dockerfile_misconfiguration_scan
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
+          TRIVY_IGNOREFILE: ${{ matrix.trivyignores }}
+        with:
+          scan-type: fs
+          scan-ref: ${{ matrix.path }}
+          severity: 'HIGH,CRITICAL'
+          scanners: 'misconfig'
+          version: v0.56.2
+          exit-code: 1
+
       - name: Build ${{ matrix.ecr_repository }} Image
         uses: docker/[email protected]
         with:
@@ -110,6 +129,7 @@ jobs:
         env:
           TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
+          TRIVY_IGNOREFILE: ${{ matrix.trivyignores }}
         with:
           image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }}
           severity: 'HIGH,CRITICAL'
@@ -125,6 +145,10 @@ jobs:
       - name: Trivy Image SBOM Generator for ${{ matrix.ecr_repository }} and submit results to Dependency Graph
         id: trivy_sbom
         uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
+          TRIVY_IGNOREFILE: ${{ matrix.trivyignores }}
         with:
           scan-type: 'image'
           image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }}

diff --git a/docker/event-received/.trivyignore.yaml b/docker/event-received/.trivyignore.yaml
@@ -0,0 +1,3 @@
+misconfigurations:
+  - id: AVD-DS-0002
+    statement: Lambda creates a docker USER with least-privilege permissions.
diff --git a/docker/event-received/Dockerfile b/docker/event-received/Dockerfile
@@ -10,7 +10,7 @@ COPY --link internal ./internal
 
 RUN GOOS=linux GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -tags lambda.norpc -o event-received ./cmd/event-received
 
-FROM public.ecr.aws/lambda/provided:al2 AS dev
+FROM public.ecr.aws/lambda/provided:al2023.2024.10.14.12 AS dev
 
 WORKDIR /app
 
@@ -20,12 +20,11 @@ COPY --link docker/event-received/aws-lambda-rie ./aws-lambda-rie
 
 ENTRYPOINT ["./event-received"]
 
-FROM public.ecr.aws/lambda/provided:al2 AS production
+FROM public.ecr.aws/lambda/provided:al2023.2024.10.14.12 AS production
 
 WORKDIR /app
 COPY --link  docker/event-received/install_lambda_insights.sh /app/
 
-
 RUN chmod +x /app/install_lambda_insights.sh \
   && /app/install_lambda_insights.sh "${TARGETPLATFORM}"
 

diff --git a/docker/mlpa/.trivyignore.yaml b/docker/mlpa/.trivyignore.yaml
@@ -0,0 +1 @@
+misconfigurations:
diff --git a/docker/mock-pay/.trivyignore.yaml b/docker/mock-pay/.trivyignore.yaml
@@ -0,0 +1 @@
+misconfigurations:
diff --git a/docker/mock-pay/Dockerfile b/docker/mock-pay/Dockerfile
@@ -1,2 +1,5 @@
 FROM outofcoffee/imposter:4.0.5
+
 COPY ./docker/mock-pay /opt/imposter/config/
+
+USER imposter
diff --git a/lambda/create_s3_replication_job/.trivyignore.yaml b/lambda/create_s3_replication_job/.trivyignore.yaml
@@ -0,0 +1,3 @@
+misconfigurations:
+  - id: AVD-DS-0002
+    statement: Lambda creates a docker USER with least-privilege permissions.