🚀 Create Initial Image (#1)

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk> Co-authored-by: Gary Henderson <gary.henderson@digital.justice.gov.uk>
ministryofjustice · Mar 12, 2024 · bed75b7 · bed75b7
1 parent 29ec2d8
commit bed75b7
Show file tree

Hide file tree

Showing 21 changed files with 616 additions and 67 deletions.
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -0,0 +1,19 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.10.1",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:440bdb81cf8af43f3e922450d33db9775c1097340557a5b7b6fe705bc758c5ef",
+      "integrity": "sha256:440bdb81cf8af43f3e922450d33db9775c1097340557a5b7b6fe705bc758c5ef"
+    },
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "1.4.1",
+      "resolved": "ghcr.io/devcontainers/features/python@sha256:d7e393af2440444dddb3c275cf7f90c899a24f8e853e4d6315e1be3be7e1d49f",
+      "integrity": "sha256:d7e393af2440444dddb3c275cf7f90c899a24f8e853e4d6315e1be3be7e1d49f"
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/aws:0": {
+      "version": "0.0.2",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/aws@sha256:db720f840ce5015117b1b1e7649dc59b8ac6b34a8786f07ab727dd081140737f",
+      "integrity": "sha256:db720f840ce5015117b1b1e7649dc59b8ac6b34a8786f07ab727dd081140737f"
+    }
+  }
+}
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,28 @@
+{
+  "name": "analytical-platform-ingestion-scan",
+  "image": "ghcr.io/ministryofjustice/devcontainer-base:latest",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "3.12",
+      "installTools": false
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/aws:0": {}
+  },
+  "postCreateCommand": "bash .devcontainer/post-create.sh",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "EditorConfig.EditorConfig",
+        "GitHub.vscode-github-actions",
+        "GitHub.vscode-pull-request-github",
+        "ms-python.python",
+        "ms-python.pylint",
+        "ms-python.black-formatter",
+        "ms-python.isort",
+        "ms-python.flake8",
+        "ms-python.autopep8"
+      ]
+    }
+  }
+}
diff --git a/.devcontainer/post-create.sh b/.devcontainer/post-create.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Upgrade Pip
+pip install --upgrade pip
+
+# Install dependencies
+pip install --requirement requirements-dev.txt
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[{*.sh,bootstrap}]
+indent_style = space
+indent_size = 2
+
+[{*.yml,*.yaml}]
+indent_style = space
+indent_size = 2
+
+# This file is autogenerated
+[.devcontainer/devcontainer-lock.json]
+end_of_line = unset
+insert_final_newline = unset
diff --git a/.flake8 b/.flake8
@@ -0,0 +1,2 @@
+[flake8]
+max-line-length=120
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,3 +1 @@
-# Add a team or username to this file
-# Example:
-# *   @ministryofjustice/operations-engineering
+* @ministryofjustice/analytical-platform
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,37 +1,20 @@
 ---
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 
 updates:
-  - package-ecosystem: "bundler"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "terraform"
-    directory: "/terraform"
-    schedule:
-      interval: "daily"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "pip"
+  - package-ecosystem: "devcontainers"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "gomod"
+  - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "docker"
+  - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "daily"
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -0,0 +1,26 @@
+---
+name: Build and Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build and Test
+        id: build_and_test
+        shell: bash
+        run: |
+          bash scripts/build-and-test.sh
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -3,6 +3,8 @@ name: Dependency Review
 
 on:
   pull_request:
+    branches:
+      - main
     types:
       - edited
       - opened
@@ -22,7 +24,8 @@ jobs:
         id: checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Dependency Review
+      - name: Dependency review
+        id: dependency_review
         uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           fail-on-severity: critical
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,60 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Install cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
+      - name: Configure AWS Credentials
+        id: configure_aws_credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::730335344807:role/modernisation-platform-oidc-cicd
+
+      - name: Login to Amazon ECR
+        id: login_ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076
+        with:
+          registries: 374269020027
+
+      - name: Build and Push
+        id: build_and_push
+        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
+        with:
+          push: true
+          tags: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-scan-ecr-repo:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        shell: bash
+        run: |
+          cosign sign --yes 374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-scan-ecr-repo@${{ steps.build_and_push.outputs.digest }}
+
+      - name: Verify
+        id: verify
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/ministryofjustice/analytical-platform-jml-report/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+            374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-scan-ecr-repo@${{ steps.build_and_push.outputs.digest }}
diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml
@@ -0,0 +1,57 @@
+---
+name: Scan Image
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scan-image:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          push: false
+          load: true
+          tags: ingestion-scan
+
+      - name: Scan Image
+        id: scan_image
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        with:
+          image-ref: ingestion-scan
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+          limit-severities-for-sarif: true
+
+      - name: Scan Image (On SARIF Scan Failure)
+        if: failure() && steps.scan_image.outcome == 'failure'
+        id: scan_image_on_failure
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        with:
+          image-ref: ingestion-scan
+          exit-code: 1
+          format: table
+          severity: CRITICAL
+
+      - name: Upload SARIF
+        if: always()
+        id: upload_sarif
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.2.7
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -0,0 +1,36 @@
+---
+name: Super-Linter
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - edited
+      - opened
+      - reopened
+      - synchronize
+
+permissions: {}
+
+jobs:
+  super-linter:
+    name: Super-Linter
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Run Super-Linter
+        id: super_linter
+        uses: super-linter/super-linter/slim@e0fc164bba85f4b58c6cd17ba1dfd435d01e8a06 # v6.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: /
+          PYTHON_PYLINT_CONFIG_FILE: pyproject.toml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,24 @@
+#checkov:skip=CKV_DOCKER_2: HEALTHCHECK not required - AWS Lambda does not support HEALTHCHECK
+#checkov:skip=CKV_DOCKER_3: USER not required - A non-root user is used by AWS Lambda
+FROM public.ecr.aws/lambda/python:3.12@sha256:1d922f123370801843aad18d0911759c55402af4d0dddb601181df4ed42b2ce2
+
+LABEL org.opencontainers.image.vendor="Ministry of Justice" \
+      org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \
+      org.opencontainers.image.title="Ingestion Scan" \
+      org.opencontainers.image.description="Ingestion scan image for Analytical Platform" \
+      org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform"
+
+RUN microdnf update \
+    && microdnf install --assumeyes \
+         clamav-0.103.9-1.amzn2023.0.2.x86_64 \
+         clamav-update-0.103.9-1.amzn2023.0.2.x86_64 \
+         clamd-0.103.9-1.amzn2023.0.2.x86_64 \
+         tar-2:1.34-1.amzn2023.0.4.x86_64 \
+    && microdnf clean all
+
+COPY --chown=nobody:nobody --chmod=0755 src/var/task/ ${LAMBDA_TASK_ROOT}
+
+RUN python -m pip install --no-cache-dir --upgrade pip==24.0 \
+    && python -m pip install --no-cache-dir --requirement requirements.txt
+
+CMD ["handler.handler"]