From b740e6771a36aa1d28e40b28552e1d802562384c Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 17 Dec 2025 15:20:46 +0000 Subject: [PATCH 1/9] CCM-13343: Trivy Package and Library Scans --- .github/actions/trivy-iac/action.yaml | 18 ++ .github/actions/trivy-package/action.yaml | 16 ++ .github/actions/trivy/action.yaml | 17 -- .github/workflows/stage-1-commit.yaml | 27 ++- .trivyignore | 1 + scripts/terraform/trivy-scan.sh | 194 ++++++++++++++++++++++ scripts/terraform/trivy.sh | 96 ----------- 7 files changed, 251 insertions(+), 118 deletions(-) create mode 100644 .github/actions/trivy-iac/action.yaml create mode 100644 .github/actions/trivy-package/action.yaml delete mode 100644 .github/actions/trivy/action.yaml create mode 100644 .trivyignore create mode 100755 scripts/terraform/trivy-scan.sh delete mode 100755 scripts/terraform/trivy.sh diff --git a/.github/actions/trivy-iac/action.yaml b/.github/actions/trivy-iac/action.yaml new file mode 100644 index 00000000..583f9356 --- /dev/null +++ b/.github/actions/trivy-iac/action.yaml @@ -0,0 +1,18 @@ +name: "Trivy IaC Scan" +description: "Scan Terraform IaC using Trivy" +runs: + using: "composite" + steps: + - name: "Trivy Terraform IaC Scan" + shell: bash + run: | + components_exit_code=0 + modules_exit_code=0 + + ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$? + ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$? + + if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then + echo "Trivy misconfigurations detected." + exit 1 + fi diff --git a/.github/actions/trivy-package/action.yaml b/.github/actions/trivy-package/action.yaml new file mode 100644 index 00000000..d6ee4a3f --- /dev/null +++ b/.github/actions/trivy-package/action.yaml @@ -0,0 +1,16 @@ +name: "Trivy Package Scan" +description: "Scan project packages using Trivy" +runs: + using: "composite" + steps: + - name: "Trivy Package Scan" + shell: bash + run: | + exit_code=0 + + ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$? + + if [ $exit_code -ne 0 ]; then + echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption" + exit 1 + fi diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml deleted file mode 100644 index be940ce5..00000000 --- a/.github/actions/trivy/action.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: "Trivy Scan" -runs: - using: "composite" - steps: - - name: "Trivy Terraform IAC Scan" - shell: bash - run: | - components_exit_code=0 - modules_exit_code=0 - - ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$? - ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$? - - if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then - echo "Trivy misconfigurations detected." - exit 1 - fi diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 0735021c..21777afc 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -148,10 +148,12 @@ jobs: uses: actions/checkout@v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform - trivy: - name: "Trivy Scan" + trivy-iac: + name: "Trivy IaC Scan" + permissions: + contents: read runs-on: ubuntu-latest - timeout-minutes: 5 + timeout-minutes: 10 needs: detect-terraform-changes if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' steps: @@ -161,8 +163,23 @@ jobs: uses: asdf-vm/actions/setup@v4 - name: "Perform Setup" uses: ./.github/actions/setup - - name: "Trivy Scan" - uses: ./.github/actions/trivy + - name: "Trivy IaC Scan" + uses: ./.github/actions/trivy-iac + trivy-package: + name: "Trivy Package Scan" + permissions: + contents: read + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + - name: "Setup ASDF" + uses: asdf-vm/actions/setup@v4 + - name: "Perform Setup" + uses: ./.github/actions/setup + - name: "Trivy Package Scan" + uses: ./.github/actions/trivy-package count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..5d07d59a --- /dev/null +++ b/.trivyignore @@ -0,0 +1 @@ +CVE-2025-68154 # Impacts Windows systems only. https://nvd.nist.gov/vuln/detail/CVE-2025-68154 Ticket to review: https://nhsd-jira.digital.nhs.uk/browse/CCM-13645 diff --git a/scripts/terraform/trivy-scan.sh b/scripts/terraform/trivy-scan.sh new file mode 100755 index 00000000..15656233 --- /dev/null +++ b/scripts/terraform/trivy-scan.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env bash + +# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead. + +set -euo pipefail + +function usage() { + cat <<'EOF' +Usage: ./scripts/terraform/trivy-scan.sh --mode [directory] + +Options: + --mode, -m Scan type to run. Accepts "iac" or "package" (required). + --help, -h Show this message. + [directory] Directory to scan. Defaults to the repository root. + +Environment variables: + FORCE_USE_DOCKER=true Force execution through Docker even if Trivy is installed locally. + VERBOSE=true Enable bash -x tracing. +EOF +} + +function main() { + cd "$(git rev-parse --show-toplevel)" + + local scan_mode="" + local dir_to_scan="." + + while [[ $# -gt 0 ]]; do + case "$1" in + --mode|-m) + if [[ $# -lt 2 ]]; then + echo "Error: --mode requires an argument." >&2 + usage + exit 1 + fi + scan_mode="$2" + shift 2 + ;; + --help|-h) + usage + exit 0 + ;; + --) + shift + break + ;; + -*) + echo "Unknown option: $1" >&2 + usage + exit 1 + ;; + *) + dir_to_scan="$1" + shift + ;; + esac + done + + if [[ $# -gt 0 ]]; then + dir_to_scan="$1" + fi + + if [[ -z "$scan_mode" ]]; then + echo "Error: --mode must be provided (iac|package)." >&2 + usage + exit 1 + fi + + case "$scan_mode" in + iac|package) + ;; + *) + echo "Error: unknown mode '$scan_mode'. Expected 'iac' or 'package'." >&2 + usage + exit 1 + ;; + esac + + if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then + run-trivy-natively "$scan_mode" "$dir_to_scan" + else + run-trivy-in-docker "$scan_mode" "$dir_to_scan" + fi +} + +function run-trivy-natively() { + local scan_mode="$1" + local dir_to_scan="$2" + + echo "Trivy found locally, running natively" + echo "Running Trivy ($scan_mode) on directory: $dir_to_scan" + + if execute-trivy-command "$scan_mode" "$dir_to_scan"; then + check-trivy-status 0 + else + local status=$? + check-trivy-status "$status" + fi +} + +function run-trivy-in-docker() { + # shellcheck disable=SC1091 + source ./scripts/docker/docker.lib.sh + + local scan_mode="$1" + local dir_to_scan="$2" + + # shellcheck disable=SC2155 + local image=$(name=aquasec/trivy docker-get-image-version-and-pull) + + echo "Trivy not found locally, running in Docker Container" + echo "Running Trivy ($scan_mode) on directory: $dir_to_scan" + + if execute-trivy-in-docker "$image" "$scan_mode" "$dir_to_scan"; then + check-trivy-status 0 + else + local status=$? + check-trivy-status "$status" + fi +} + +function execute-trivy-command() { + local scan_mode="$1" + local dir_to_scan="$2" + + if [[ "$scan_mode" == "iac" ]]; then + trivy config \ + --config scripts/config/trivy.yaml \ + --tf-exclude-downloaded-modules \ + "$dir_to_scan" + else + trivy \ + --config scripts/config/trivy.yaml \ + fs "$dir_to_scan" \ + --scanners vuln \ + --severity HIGH,CRITICAL \ + --include-dev-deps + fi +} + +function execute-trivy-in-docker() { + local image="$1" + local scan_mode="$2" + local dir_to_scan="$3" + + if [[ "$scan_mode" == "iac" ]]; then + docker run --rm --platform linux/amd64 \ + --volume "$PWD":/workdir \ + --workdir /workdir \ + "$image" \ + config \ + --config scripts/config/trivy.yaml \ + --tf-exclude-downloaded-modules \ + "$dir_to_scan" + else + docker run --rm --platform linux/amd64 \ + --volume "$PWD":/workdir \ + --workdir /workdir \ + "$image" \ + --config scripts/config/trivy.yaml \ + fs "$dir_to_scan" \ + --scanners vuln \ + --severity HIGH,CRITICAL \ + --include-dev-deps + fi +} + +function check-trivy-status() { + local status="$1" + + if [[ "$status" -eq 0 ]]; then + echo "Trivy completed successfully." + return 0 + fi + + echo "Trivy found issues." + exit "$status" +} + +function is-arg-true() { + if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then + return 0 + else + return 1 + fi +} + +# ============================================================================== + +is-arg-true "${VERBOSE:-false}" && set -x + +main "$@" + +exit 0 diff --git a/scripts/terraform/trivy.sh b/scripts/terraform/trivy.sh deleted file mode 100755 index 93caabd8..00000000 --- a/scripts/terraform/trivy.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env bash - -# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead. - -set -euo pipefail - -# TFSec command wrapper. It will run the command natively if TFSec is -# installed, otherwise it will run it in a Docker container. -# Run tfsec for security checks on Terraform code. -# -# Usage: -# $ ./trivy.sh [directory] -# ============================================================================== - -function main() { - - cd "$(git rev-parse --show-toplevel)" - - local dir_to_scan=${1:-.} - - if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then - # shellcheck disable=SC2154 - run-trivy-natively "$dir_to_scan" - else - run-trivy-in-docker "$dir_to_scan" - fi -} - -# Run trivy on the specified directory. -# Arguments: -# $1 - Directory to scan -function run-trivy-natively() { - - local dir_to_scan="$1" - - echo "Trivy found locally, running natively" - - echo "Running Trivy on directory: $dir_to_scan" - trivy config \ - --config scripts/config/trivy.yaml \ - --tf-exclude-downloaded-modules \ - "${dir_to_scan}" - - check-trivy-status -} - -# Check the exit status of tfsec. -function check-trivy-status() { - - if [ $? -eq 0 ]; then - echo "Trivy completed successfully." - else - echo "Trivy found issues." - exit 1 - fi -} - -function run-trivy-in-docker() { - - # shellcheck disable=SC1091 - source ./scripts/docker/docker.lib.sh - local dir_to_scan="$1" - - # shellcheck disable=SC2155 - local image=$(name=aquasec/trivy docker-get-image-version-and-pull) - # shellcheck disable=SC2086 - echo "Trivy not found locally, running in Docker Container" - echo "Running Trivy on directory: $dir_to_scan" - docker run --rm --platform linux/amd64 \ - --volume "$PWD":/workdir \ - --workdir /workdir \ - "$image" \ - config \ - --config scripts/config/trivy.yaml \ - --tf-exclude-downloaded-modules \ - "${dir_to_scan}" - check-trivy-status -} -# ============================================================================== - -function is-arg-true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is-arg-true "${VERBOSE:-false}" && set -x - -main "$@" - -exit 0 From aaef0cebdec5a28e7c01b073176b0574b5620dcf Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 10:17:51 +0000 Subject: [PATCH 2/9] CCM-13343: Trivy Package and Library Scans --- .github/workflows/stage-1-commit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 21777afc..9757b256 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -160,7 +160,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@v4 + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy IaC Scan" @@ -175,7 +175,7 @@ jobs: - name: "Checkout code" uses: actions/checkout@v4 - name: "Setup ASDF" - uses: asdf-vm/actions/setup@v4 + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 - name: "Perform Setup" uses: ./.github/actions/setup - name: "Trivy Package Scan" From 38eefdd1688e9df852fad5c68606b141a962ced8 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 11:02:44 +0000 Subject: [PATCH 3/9] CCM-13343: Trivy Package and Library Scans --- .tool-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tool-versions b/.tool-versions index 15c859af..0d7cd259 100644 --- a/.tool-versions +++ b/.tool-versions @@ -15,8 +15,8 @@ vale 3.6.0 # The section below is reserved for Docker image versions. # TODO: Move this section - consider using a different file for the repository template dependencies. -# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33 # SEE: https://github.com/anchore/grype/pkgs/container/grype -# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6 # SEE: https://github.com/anchore/syft/pkgs/container/syft +# docker/ghcr.io/anchore/grype v0.104.3@sha256:d340f4f8b3b7e6e72a6c9c0152f25402ed8a2d7375dba1dfce4e53115242feb6 # SEE: https://github.com/anchore/grype/pkgs/container/grype +# docker/ghcr.io/anchore/syft v1.39.0@sha256:6f13bb010923c33fb197047c8f88888e77071bd32596b3f605d62a133e493ce4 # SEE: https://github.com/anchore/syft/pkgs/container/syft # docker/ghcr.io/gitleaks/gitleaks:v8.24.0@sha256:b8e9bf46893c2f20e10bfb4b2e783adaef519dea981b01ca6221ac325e836040 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc From 01211bfacc4ce45a0d89dc933d919be3aa17553f Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 11:56:04 +0000 Subject: [PATCH 4/9] CCM-13343: Trivy Package and Library Scans --- .../modules/cognito-triggers/versions.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 infrastructure/terraform/modules/cognito-triggers/versions.tf diff --git a/infrastructure/terraform/modules/cognito-triggers/versions.tf b/infrastructure/terraform/modules/cognito-triggers/versions.tf new file mode 100644 index 00000000..ae19099b --- /dev/null +++ b/infrastructure/terraform/modules/cognito-triggers/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + + configuration_aliases = [ + aws.us-east-1, + ] + } + github = { + source = "integrations/github" + version = "= 6.8.1" + } + } + + required_version = ">= 1.10.1" +} From c8d8a03a54c7cff62cbbcf438200a0d34f9ce583 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 12:04:00 +0000 Subject: [PATCH 5/9] CCM-13343: Trivy Package and Library Scans --- .../terraform/modules/public-signing-keys/versions.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/infrastructure/terraform/modules/public-signing-keys/versions.tf b/infrastructure/terraform/modules/public-signing-keys/versions.tf index ae19099b..be3be26c 100644 --- a/infrastructure/terraform/modules/public-signing-keys/versions.tf +++ b/infrastructure/terraform/modules/public-signing-keys/versions.tf @@ -2,10 +2,6 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - - configuration_aliases = [ - aws.us-east-1, - ] } github = { source = "integrations/github" From f36315bd6c2e2170462a0e854b698b706b793d03 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 12:04:39 +0000 Subject: [PATCH 6/9] CCM-13343: Trivy Package and Library Scans --- infrastructure/terraform/modules/cognito-triggers/versions.tf | 4 ---- .../terraform/modules/public-signing-keys/versions.tf | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/terraform/modules/cognito-triggers/versions.tf b/infrastructure/terraform/modules/cognito-triggers/versions.tf index ae19099b..be3be26c 100644 --- a/infrastructure/terraform/modules/cognito-triggers/versions.tf +++ b/infrastructure/terraform/modules/cognito-triggers/versions.tf @@ -2,10 +2,6 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - - configuration_aliases = [ - aws.us-east-1, - ] } github = { source = "integrations/github" diff --git a/infrastructure/terraform/modules/public-signing-keys/versions.tf b/infrastructure/terraform/modules/public-signing-keys/versions.tf index be3be26c..ae19099b 100644 --- a/infrastructure/terraform/modules/public-signing-keys/versions.tf +++ b/infrastructure/terraform/modules/public-signing-keys/versions.tf @@ -2,6 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" + + configuration_aliases = [ + aws.us-east-1, + ] } github = { source = "integrations/github" From bb6fc724aeea89e4698254e3386474752bded62a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 13:02:26 +0000 Subject: [PATCH 7/9] CCM-13343: Trivy Package and Library Scans --- .../terraform/components/sandbox/versions.tf | 4 ++++ .../terraform/modules/cognito-triggers/versions.tf | 13 ------------- 2 files changed, 4 insertions(+), 13 deletions(-) delete mode 100644 infrastructure/terraform/modules/cognito-triggers/versions.tf diff --git a/infrastructure/terraform/components/sandbox/versions.tf b/infrastructure/terraform/components/sandbox/versions.tf index ee41cc30..465423bf 100644 --- a/infrastructure/terraform/components/sandbox/versions.tf +++ b/infrastructure/terraform/components/sandbox/versions.tf @@ -12,3 +12,7 @@ terraform { required_version = ">= 1.10.1" } + +provider "github" { + owner = "NHSDigital" +} diff --git a/infrastructure/terraform/modules/cognito-triggers/versions.tf b/infrastructure/terraform/modules/cognito-triggers/versions.tf deleted file mode 100644 index be3be26c..00000000 --- a/infrastructure/terraform/modules/cognito-triggers/versions.tf +++ /dev/null @@ -1,13 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - } - github = { - source = "integrations/github" - version = "= 6.8.1" - } - } - - required_version = ">= 1.10.1" -} From d07ae2a67c50dddedada1f70ceff4078876cf4bb Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 23 Dec 2025 13:13:13 +0000 Subject: [PATCH 8/9] CCM-13343: Trivy Package and Library Scans --- infrastructure/terraform/components/app/versions.tf | 4 ++++ infrastructure/terraform/components/branch/versions.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/infrastructure/terraform/components/app/versions.tf b/infrastructure/terraform/components/app/versions.tf index a3248302..674c6ed0 100644 --- a/infrastructure/terraform/components/app/versions.tf +++ b/infrastructure/terraform/components/app/versions.tf @@ -12,3 +12,7 @@ terraform { required_version = ">= 1.10.1" } + +provider "github" { + owner = "NHSDigital" +} diff --git a/infrastructure/terraform/components/branch/versions.tf b/infrastructure/terraform/components/branch/versions.tf index 224cb0a1..1f8a45f5 100644 --- a/infrastructure/terraform/components/branch/versions.tf +++ b/infrastructure/terraform/components/branch/versions.tf @@ -8,3 +8,7 @@ terraform { required_version = ">= 1.10.1" } + +provider "github" { + owner = "NHSDigital" +} From b75729aa94294061a709d1e0714bad400693ac6d Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 5 Jan 2026 13:41:29 +0000 Subject: [PATCH 9/9] CCM-13678: Trivy Skip Scan with Label --- .github/PULL_REQUEST_TEMPLATE.md | 1 + .github/workflows/cicd-1-pull-request.yaml | 22 ++++++++++++++++++++++ .github/workflows/stage-1-commit.yaml | 5 +++++ 3 files changed, 28 insertions(+) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index c00ff413..812a8ca0 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -25,6 +25,7 @@ - [ ] I have added tests to cover my changes - [ ] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming +- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR. --- diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index c21bd6ad..1a38cb50 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -31,6 +31,7 @@ jobs: version: ${{ steps.variables.outputs.version }} does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }} pr_number: ${{ steps.pr_exists.outputs.pr_number }} + skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }} steps: - name: "Checkout code" uses: actions/checkout@v4 @@ -67,6 +68,26 @@ jobs: echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT echo "pr_number=" >> $GITHUB_OUTPUT fi + - name: "Determine if Trivy package scan should be skipped" + id: skip_trivy + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }} + run: | + if [[ -z "$PR_NUMBER" ]]; then + echo "No pull request detected; Trivy package scan will run." + echo "skip_trivy_package=false" >> $GITHUB_OUTPUT + exit 0 + fi + + labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name') + echo "Labels on PR #$PR_NUMBER: $labels" + + if echo "$labels" | grep -Fxq 'skip-trivy-package'; then + echo "skip_trivy_package=true" >> $GITHUB_OUTPUT + else + echo "skip_trivy_package=false" >> $GITHUB_OUTPUT + fi - name: "List variables" run: | export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}" @@ -90,6 +111,7 @@ jobs: build_epoch: "${{ needs.metadata.outputs.build_epoch }}" nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}" python_version: "${{ needs.metadata.outputs.python_version }}" + skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }} terraform_version: "${{ needs.metadata.outputs.terraform_version }}" version: "${{ needs.metadata.outputs.version }}" secrets: inherit diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 9757b256..d960bc2e 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -23,6 +23,10 @@ on: description: "Python version, set by the CI/CD pipeline workflow" required: true type: string + skip_trivy_package: + description: "Skip Trivy package scan when true" + type: boolean + default: false terraform_version: description: "Terraform version, set by the CI/CD pipeline workflow" required: true @@ -166,6 +170,7 @@ jobs: - name: "Trivy IaC Scan" uses: ./.github/actions/trivy-iac trivy-package: + if: ${{ !inputs.skip_trivy_package }} name: "Trivy Package Scan" permissions: contents: read