Chore: [AEA-0000] - various fixes (#20)

anthony-nhs · web-flow · commit a68181c543c3 · 2026-02-18T10:01:07.000Z
## Summary

- Routine Change

### Details

- fix cfn-guard makefile targets
- fix trivy-scan-docker makefile targets
- fix install of cfn-guard
- remove containers from shell-image makefile target
- update readme
diff --git a/Makefile b/Makefile
@@ -72,6 +72,7 @@ scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
 
 shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
 	docker run -it \
+	--rm \
 	"${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}"  \
 	bash
 
diff --git a/README.md b/README.md
@@ -31,8 +31,8 @@ asdf install and setup for these so they are available globally as vscode user
 Install and setup git-secrets
 
 # Using the images
-In each eps project, this should be the contents of .devcontainer/Dockerfile.
-
+## Project setup
+In each eps project, `.devcontainer/Dockerfile` should be set to
 ```
 ARG IMAGE_NAME=node_24_python_3_14
 ARG IMAGE_VERSION=latest
@@ -49,11 +49,7 @@ RUN if [ -n "${DOCKER_GID}" ]; then \
     usermod -aG docker vscode; \
     fi
 ```
-And this should be the contents of .devcontainer/devcontainer.json.   
-This file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments).   
-The name should be changed to match the name of the project.   
-IMAGE_NAME and IMAGE_VERSION should be changed as appropriate.   
-You should not need to add any features as these are already baked into the image
+`.devcontainer/devcontainer.json` should be set to.   
 ```
 {
   "name": "eps-common-workflows",
@@ -86,7 +82,12 @@ You should not need to add any features as these are already baked into the imag
   }
 }
 ```
+Note - this file will be used in github workflows to calculate the version of container to use in builds, so it must be valid JSON (no comments).   
+The name should be changed to match the name of the project.   
+IMAGE_NAME and IMAGE_VERSION should be changed as appropriate.   
+You should not need to add any features as these are already baked into the image
 
+## Getting image name and version in github actions
 This job should be used in github actions wherever you need to get the dev container name or tag
 
 ```
@@ -106,6 +107,30 @@ This job should be used in github actions wherever you need to get the dev conta
           echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
           echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT"
 ```
+## Using images in github actions
+To use the image in github actions, you can use code like this
+```
+jobs:
+  my_job_name:
+    runs-on: ubuntu-22.04
+    container:
+      image: ghcr.io/nhsdigital/eps-devcontainers/<container name>:githubactions-<tag>
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+      ... other steps ....
+```
+It is important that 
+- the image specified uses the tag starting githubactions-
+- there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group
+- the default shell is set to be bash
+- the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions
+
 # Project structure
 We have 4 types of dev container. These are defined under src
 
@@ -235,26 +260,6 @@ For an image built locally, you should put the IMAGE_VERSION=local-build.
 For an image built from a pull request, you should put the IMAGE_VERSION=<tag of image as show in pull request job>.  
 You can only use images built from a pull request for testing changes in github actions.   
 
-## Using images in github actions
-To use the image in github actions, you can use it in github actions using code like this
-```
-jobs:
-  my_job_name:
-    runs-on: ubuntu-22.04
-    container:
-      image: ghcr.io/nhsdigital/eps-devcontainers/<container name>:githubactions-<tag>
-      options: --user 1001:1001
-    steps:
-      - name: copy .tool-versions
-        run: |
-          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
-      ... other steps ....
-```
-It is important that 
-- the image uses the tag starting githubactions-
-- there is `options: --user 1001:1001` below image
-- the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions
-
 ## Generating a .trivyignore file
 You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json
 
diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk
@@ -32,7 +32,7 @@ cfn-guard-sam-templates:
 				SAM_OUTPUT=$$(sam validate -t "$$file" --region eu-west-2 --debug 2>&1 | grep -Pazo "(?s)AWSTemplateFormatVersion.*\\n/" | tr -d "\\0"); \
 				output_file=".cfn_guard_out/$${file}_$${ruleset}.txt"; \
 				mkdir -p "$$(dirname "$$output_file")"; \
-				echo "$${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \
+				echo "$${SAM_OUTPUT::-1}" | /home/vscode/.guard/bin/cfn-guard validate --rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" --show-summary fail > "$$output_file"; \
 			done < <(find ./SAMtemplates -type f \( -name "*.yaml" -o -name "*.yml" \) -print0); \
 		done\
 	'
@@ -42,9 +42,9 @@ cfn-guard-cloudformation:
 		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
 		mkdir -p .cfn_guard_out; \
 		for ruleset in "$${rulesets[@]}"; do \
-			~/.guard/bin/cfn-guard validate \
+			/home/vscode/.guard/bin/cfn-guard validate \
 				--data cloudformation \
-				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \
 				--show-summary fail \
 				> ".cfn_guard_out/cloudformation_$$ruleset.txt"; \
 		done\
@@ -55,9 +55,9 @@ cfn-guard-cdk:
 		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
 		mkdir -p .cfn_guard_out; \
 		for ruleset in "$${rulesets[@]}"; do \
-			~/.guard/bin/cfn-guard validate \
+			/home/vscode/.guard/bin/cfn-guard validate \
 				--data cdk.out \
-				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \
 				--show-summary fail \
 				> ".cfn_guard_out/cdk_$$ruleset.txt"; \
 		done\
@@ -68,9 +68,9 @@ cfn-guard-terraform:
 		rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar"); \
 		mkdir -p .cfn_guard_out; \
 		for ruleset in "$${rulesets[@]}"; do \
-			~/.guard/bin/cfn-guard validate \
+			/home/vscode/.guard/bin/cfn-guard validate \
 				--data terraform_plans \
-				--rules "/tmp/ruleset/output/$$ruleset.guard" \
+				--rules "/usr/local/share/eps/cfnguard_rulesets/output/$$ruleset.guard" \
 				--show-summary fail \
 				> ".cfn_guard_out/terraform_$$ruleset.txt"; \
 		done\
diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk
@@ -85,7 +85,6 @@ trivy-scan-docker: guard-DOCKER_IMAGE
 		--scanners vuln \
 		--severity HIGH,CRITICAL \
 		--config trivy.yaml \
-		--include-dev-deps \
 		--exit-code 1 \
 		--pkg-types os,library \
 		--output .trivy_out/dependency_results_docker.txt \
diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh
@@ -22,7 +22,7 @@ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
 asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git
 
 # install cfn-guard
-$ curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
 
 # install base asdf versions of common tools
 cd /home/vscode
