Feat/opg scanning poc

.github/workflows/_example_workflow.yml

@@ -19,60 +19,34 @@ permissions:
   repository-projects: none
   statuses: none
 
-
 jobs:
-  # generate a branch name  
+  # generate a branch name
   branch_name:
     name: "Generate a safe branch name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-  
+
   # generate workspace name
   workspace_name:
     name: "Generate the workspace name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-
-  tf_version:
-    needs: [branch_name, workspace_name]
-    name: "Get terraform version"
-    uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-    with:
-      terraform_directory: "./terraform/account/"
-
-  # LINTING
-  # run linting for terraform
-  tf_lint:
-    needs: [tf_version]
-    name: "Run terraform linting"
-    uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-    with:
-      directory: "./terraform"
-      terraform_version: "${{ needs.tf_version.outputs.version}}"
-      terraform_wrapper: false
-
-  # tfsec for terraform 
-  tfsec_analysis:
-    needs: [tf_lint]
-    name: "Run TFSec against the code base"
-    uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
 
   # SAST
-  # codeql for pythong
+  # codeql for go
   codeql_analysis:
     name: "Run CodeQL against the code base"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
     with:
-      application_languages: '["python"]'
-  
+      application_languages: '["go"]'
+
   # generate tag
   semver_tag:
-    needs: [branch_name, tfsec_analysis, codeql_analysis]
+    needs: [branch_name, codeql_analysis]
     name: "Generate the semver tag value"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
     with:
       branch_name: ${{ needs.branch_name.outputs.parsed }}
     secrets: inherit
 
-
   # Docker build, trivy scan, ECR push as a matrix
   # The matrix loops over each app to build in a complicated
   # structure
@@ -81,15 +55,15 @@ jobs:
     name: "Docker build, trivy scan, ECR push"
     runs-on: ubuntu-latest
     # require all steps before this matrix to have passed
-    needs: [tf_version, branch_name, workspace_name, semver_tag]
+    needs: [branch_name, workspace_name, semver_tag]
     strategy:
       fail-fast: true
       matrix:
         # services to scan over
         data:
           - docker_build_directory: "./service-app"
-            image_app_name: "helloworld"    
-            test_command: "ls -l"
+            image_app_name: "helloworld"
+            test_command: "go test ./..."
     # we use these a few times, so its easier to generate them once and env
     # vars are visible in the output, so helps with debug
     env:
@@ -107,82 +81,72 @@ jobs:
         working-directory: ${{ matrix.data.docker_build_directory }}
         run: |
           docker build -t ${{ env.local_docker_image }} .
+      # log in to ECR
+      - name: Configure AWS Credentials With Assumed Role to Management
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+          # management account role
+          role-to-assume: arn:aws:iam::311462405659:role/sirius-actions-ci
+          role-duration-seconds: 900
+          role-session-name: OPGScanningWorkflowGithubAction
+      - name: ECR Login
+        id: login_ecr
+        uses: aws-actions/[email protected]
+        with:
+          registries: 311462405659
       # to check if things worked, output docker image list
       - name: Docker image list
         run: |
           docker images
       - name: Trivy scan
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
         with:
           image-ref: ${{ env.local_docker_image }}
           severity: "HIGH,CRITICAL"
-          format: 'sarif'
+          format: "sarif"
           output: ${{ env.sarif_file }}
       - name: Trivy scan upload to github
         uses: github/codeql-action/upload-sarif@v2
         if: always()
         with:
           sarif_file: ${{ env.sarif_file }}
-      # for a lot of our services, there could be a test process here 
+      # for a lot of our services, there could be a test process here
       - name: Run Tests
+        working-directory: ${{ matrix.data.docker_build_directory }}
+        env:
+          PROJECT_PATH: service-app
         run: |
           ${{ matrix.data.test_command }}
       ######
       ## Push to ECR
       ######
-      - uses: unfor19/install-aws-cli-action@v1
-      - name: Configure AWS Credentials With Assumed Role to Management
-        uses: aws-actions/[email protected]
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: eu-west-1
-          # management account role
-          role-to-assume: arn:aws:iam::311462405659:role/gh-template-repo-ci
-          role-duration-seconds: 900
-          role-session-name: OPGExampleWorkflowGithubAction
-      - name: ECR Login
-        id: login_ecr
-        uses: aws-actions/[email protected]
-        with:
-          registries: 311462405659
       - name: Push Container
         env:
           SEMVER_TAG: ${{ needs.semver_tag.outputs.tag }}
           ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
-          ECR_REPOSITORY: github-template-repository/helloworld
+          ECR_REPOSITORY: sirius/scanning/app
         run: |
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }}
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest
           docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
-
-  # example terraform build stage
-  terraform_account_build:
-    name: "Terraform Account [Apply: ${{ github.ref == 'refs/heads/main'}}]"
-    needs: [workspace_name, semver_tag, build_scan_push, tf_version]
-    uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
-    with:
-      terraform_version: "${{ needs.tf_version.outputs.version}}"
-      terraform_directory: "./terraform/account"
-      terraform_apply: ${{ github.ref == 'refs/heads/main' && true || false }}
-      # this would be replaced with the dynamic value from needs.workspace_name.output.name
-      # but we're just using sandbox account and single env, so use default
-      terraform_workspace: "default" 
-      # normally would need some logic to decide this based on branch name etc
-      # - if its true we would then need to pass workspace_manager_aws_account_id & 
-      #   workspace_manager_aws_iam_role as well
-      is_ephemeral: false
-    secrets:
-      AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      PAGERDUTY_TOKEN: "NONE"
-      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   end:
-    name: 'End of workflow'
-    runs-on: 'ubuntu-latest'
-    needs: [branch_name, workspace_name, semver_tag, build_scan_push, terraform_account_build]
+    name: "End of workflow"
+    runs-on: "ubuntu-latest"
+    needs:
+      [
+        branch_name,
+        workspace_name,
+        semver_tag,
+        build_scan_push,
+      ]
     steps:
       - name: "End"
         run: |
-          echo "Done"
+          echo "Done"

docker-compose.yml

@@ -0,0 +1,11 @@
+version: '3.8'
+
+services:
+  app:
+    build:
+      context: ./service-app
+    ports:
+      - "8081:8081"     
+    environment:
+      - PORT=8081      
+    command: ./app

service-app/Dockerfile

@@ -1,7 +1,31 @@
-FROM python:3.11.9-alpine3.20
+FROM golang:1.23-alpine3.20 AS build-env
+
+RUN apk add gcc libc-dev libxml2-dev
 
-RUN mkdir /app
 WORKDIR /app
-ADD hello-world.py .
 
-CMD ["python", "-u", "hello-world.py"]
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=1 go build -a -installsuffix cgo -o /go/bin/opg-scanning /app/cmd/service
+
+FROM alpine:3
+
+RUN apk add libxml2-dev
+ENV PROJECT_PATH=/go
+ENV SIRIUS_BASE_URL=/
+
+WORKDIR /go/bin
+
+COPY --from=build-env /go/bin/opg-scanning main
+COPY xsd /go/xsd
+
+RUN addgroup -S app && \
+    adduser -S -g app app && \
+    chown -R app:app main
+USER app
+ENTRYPOINT ["./main"]

service-app/cmd/service/main.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/ministryofjustice/opg-go-common/telemetry"
+	"github.com/ministryofjustice/opg-scanning/internal/api"
+)
+
+func main() {
+	// Set up logging
+	logger := telemetry.NewLogger("opg-scanning-service")
+
+	// Initialize the tracer provider
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	shutdownTracer, err := telemetry.StartTracerProvider(ctx, logger, true)
+	if err != nil {
+		logger.Error("Failed to start tracer provider", "error", err)
+		return
+	}
+	defer shutdownTracer()
+
+	controller := api.NewIndexController()
+	controller.Queue.StartWorkerPool(ctx, 3)
+	logger.Info("Service started...")
+
+	go func() {
+		controller.HandleRequests()
+	}()
+
+	// Handle graceful shutdown on receiving an interrupt or SIGTERM signal
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)
+	<-stop
+
+	// Start shutdown sequence
+	logger.Info("Shutting down gracefully...")
+	cancel()
+	controller.Queue.Close()
+	logger.Info("All jobs processed. Exiting.")
+}

service-app/config/config.go

@@ -0,0 +1,53 @@
+package config
+
+import (
+	"log"
+	"path/filepath"
+
+	"github.com/joho/godotenv"
+	"github.com/kelseyhightower/envconfig"
+	"github.com/ministryofjustice/opg-scanning/internal/util"
+)
+
+type (
+	Config struct {
+		App  App
+		HTTP HTTP
+	}
+
+	// App configuration fields.
+	App struct {
+		SiriusBaseURL   string `required:"true" envconfig:"SIRIUS_BASE_URL" default:".."`
+		ProjectPath     string `required:"true" envconfig:"PROJECT_PATH" default:".."`
+		ProjectFullPath string
+	}
+
+	// HTTP server configuration fields.
+	HTTP struct {
+		Port string `required:"true" envconfig:"HTTP_PORT" default:"8081"`
+	}
+)
+
+// Loads configuration from .env and environment variables.
+func NewConfig() *Config {
+	projectRoot, err := util.GetProjectRoot()
+	if err != nil {
+		log.Fatalf("failed to get project root: %v", err)
+	}
+
+	envPath := filepath.Join(projectRoot, ".env")
+	if err := godotenv.Load(envPath); err != nil {
+		log.Println("No .env file found or could not be loaded. Falling back to OS environment variables.")
+	}
+
+	var cfg Config
+	if err := envconfig.Process("", &cfg); err != nil {
+		log.Fatalf("failed to load environment variables into config: %v", err)
+	}
+
+	cfg.App.ProjectFullPath = filepath.Join(projectRoot, cfg.App.ProjectPath)
+
+	log.Println("Configuration loaded successfully.")
+
+	return &cfg
+}