Merge branch 'feat/opg-scanning-poc' of https://github.com/ministryof…

…justice/opg-scanning into feat/opg-scanning-poc

.github/workflows/_example_workflow.yml

@@ -19,18 +19,17 @@ permissions:
   repository-projects: none
   statuses: none
 
-
 jobs:
-  # generate a branch name  
+  # generate a branch name
   branch_name:
     name: "Generate a safe branch name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-  
+
   # generate workspace name
   workspace_name:
     name: "Generate the workspace name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-  
+
   tf_version:
     needs: [branch_name, workspace_name]
     name: "Get terraform version"
@@ -48,21 +47,21 @@ jobs:
       directory: "./terraform"
       terraform_version: "${{ needs.tf_version.outputs.version}}"
       terraform_wrapper: false
-  
-  # tfsec for terraform 
+
+  # tfsec for terraform
   tfsec_analysis:
     needs: [tf_lint]
     name: "Run TFSec against the code base"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
 
   # SAST
-  # codeql for pythong
+  # codeql for go
   codeql_analysis:
     name: "Run CodeQL against the code base"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
     with:
-      application_languages: '["python"]'
-  
+      application_languages: '["go"]'
+
   # generate tag
   semver_tag:
     needs: [branch_name, tfsec_analysis, codeql_analysis]
@@ -72,7 +71,6 @@ jobs:
       branch_name: ${{ needs.branch_name.outputs.parsed }}
     secrets: inherit
 
-
   # Docker build, trivy scan, ECR push as a matrix
   # The matrix loops over each app to build in a complicated
   # structure
@@ -88,8 +86,8 @@ jobs:
         # services to scan over
         data:
           - docker_build_directory: "./service-app"
-            image_app_name: "helloworld"    
-            test_command: "ls -l"
+            image_app_name: "helloworld"
+            test_command: "go test ./..."
     # we use these a few times, so its easier to generate them once and env
     # vars are visible in the output, so helps with debug
     env:
@@ -116,15 +114,18 @@ jobs:
         with:
           image-ref: ${{ env.local_docker_image }}
           severity: "HIGH,CRITICAL"
-          format: 'sarif'
+          format: "sarif"
           output: ${{ env.sarif_file }}
       - name: Trivy scan upload to github
         uses: github/codeql-action/upload-sarif@v2
         if: always()
         with:
           sarif_file: ${{ env.sarif_file }}
-      # for a lot of our services, there could be a test process here 
+      # for a lot of our services, there could be a test process here
       - name: Run Tests
+        working-directory: ${{ matrix.data.docker_build_directory }}
+        env:
+          PROJECT_PATH: service-app
         run: |
           ${{ matrix.data.test_command }}
       ######
@@ -155,7 +156,7 @@ jobs:
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }}
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest
           docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
-          
+
   # example terraform build stage
   terraform_account_build:
     name: "Terraform Account [Apply: ${{ github.ref == 'refs/heads/main'}}]"
@@ -167,9 +168,9 @@ jobs:
       terraform_apply: ${{ github.ref == 'refs/heads/main' && true || false }}
       # this would be replaced with the dynamic value from needs.workspace_name.output.name
       # but we're just using sandbox account and single env, so use default
-      terraform_workspace: "default" 
+      terraform_workspace: "default"
       # normally would need some logic to decide this based on branch name etc
-      # - if its true we would then need to pass workspace_manager_aws_account_id & 
+      # - if its true we would then need to pass workspace_manager_aws_account_id &
       #   workspace_manager_aws_iam_role as well
       is_ephemeral: false
     secrets:
@@ -179,10 +180,17 @@ jobs:
       GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   end:
-    name: 'End of workflow'
-    runs-on: 'ubuntu-latest'
-    needs: [branch_name, workspace_name, semver_tag, build_scan_push, terraform_account_build]
+    name: "End of workflow"
+    runs-on: "ubuntu-latest"
+    needs:
+      [
+        branch_name,
+        workspace_name,
+        semver_tag,
+        build_scan_push,
+        terraform_account_build,
+      ]
     steps:
       - name: "End"
         run: |
-          echo "Done"
+          echo "Done"

service-app/Dockerfile

@@ -0,0 +1,30 @@
+FROM golang:1.23-alpine3.20 AS build-env
+
+RUN apk add gcc libc-dev libxml2-dev
+
+WORKDIR /app
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=1 go build -a -installsuffix cgo -o /go/bin/opg-scanning /app/cmd/service
+
+FROM alpine:3
+
+RUN apk add libxml2-dev
+ENV PROJECT_PATH=/go
+
+WORKDIR /go/bin
+
+COPY --from=build-env /go/bin/opg-scanning main
+COPY config/config.yml /go/config/config.yml
+
+RUN addgroup -S app && \
+    adduser -S -g app app && \
+    chown -R app:app main
+USER app
+ENTRYPOINT ["./main"]