eps-devcontainers/Makefile at main · NHSDigital/eps-devcontainers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/

ifeq ($(strip $(NO_CACHE)),true)
NO_CACHE_FLAG=--no-cache
endif

guard-%:
	@ if [ "${${*}}" = "" ]; then \
		echo "Environment variable $* not set"; \
		exit 1; \
	fi

install: install-python install-node install-hooks

install-python:
	poetry install

install-node:
	npm install

install-hooks: install-python
	poetry run pre-commit install --install-hooks --overwrite

build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
	npx devcontainer build \
		--workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \
		$(NO_CACHE_FLAG) \
		--push false \
		--output type=image,name="${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}",push=false,compression=zstd \
		--cache-from "${CONTAINER_PREFIX}$${CONTAINER_NAME}:latest" \
		--image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAGE_TAG
	docker buildx build \
		-f src/githubactions/Dockerfile \
		$(NO_CACHE_FLAG) \
		--build-arg BASE_IMAGE_NAME="$${BASE_IMAGE_NAME}" \
		--build-arg BASE_IMAGE_TAG="$${BASE_IMAGE_TAG}" \
		--load \
		-t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \
		.

scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
	mkdir -p .out
	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
	common="src/common/.trivyignore.yaml"; \
	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
	exit_code="$${EXIT_CODE:-1}"; \
	echo "vulnerabilities:" > "$$combined"; \
	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
	trivy image \
		--severity HIGH,CRITICAL \
		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
		--scanners vuln \
		--exit-code $$exit_code \
		--format table \
		--output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
	mkdir -p .out
	@combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \
	common="src/common/.trivyignore.yaml"; \
	extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \
	specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \
	exit_code="$${EXIT_CODE:-1}"; \
	echo "vulnerabilities:" > "$$combined"; \
	if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \
	if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \
	if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \
	trivy image \
		--severity HIGH,CRITICAL \
		--config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \
		--scanners vuln \
		--exit-code "$$exit_code" \
		--format json \
		--output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"

shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
	docker run -it \
	--rm \
	"${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"  \
	bash

lint: lint-githubactions

test:
	echo "Not implemented"

lint-githubactions:
	actionlint

github-login:
	gh auth login --scopes read:packages

lint-githubaction-scripts:
	shellcheck .github/scripts/*.sh

clean:
	rm -rf .out
	find . -type f -name '.trivyignore_combined.yaml' -delete