From b066ec2d4a07c8d2195c3485e58a90ba0cc768d1 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:12:06 +0000 Subject: [PATCH 1/7] [GPCAPIM-258]: Add environment variables for SDS access module - Define STUB_SDS, STUB_PDS, and STUB_PROVIDER in the workflow environment --- infrastructure/images/build-container/Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index e062232e..07d7af25 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -49,7 +49,9 @@ RUN apk update && \ readline-dev \ sqlite-dev \ tk-dev \ - zstd-dev + zstd-dev\ + libxml2-dev\ + libxslt-dev # Configure doas to allow members of the wheel group to run commands as root. RUN echo "permit :wheel" >> /etc/doas.conf \ From 05bebcbe6c18c6837dbf4d42a99cd9b519e8d648 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:37:51 +0000 Subject: [PATCH 2/7] correct formatting and move to more relevant part of the list --- infrastructure/images/build-container/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index 07d7af25..2f818b24 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -39,6 +39,8 @@ RUN apk update && \ # Required to support the building of other docker images. docker-cli \ docker-cli-buildx \ + libxml2-dev\ + libxslt-dev \ # pyenv suggested requirements taken from https://github.com/pyenv/pyenv/wiki#suggested-build-environment build-base \ libffi-dev \ @@ -49,9 +51,7 @@ RUN apk update && \ readline-dev \ sqlite-dev \ tk-dev \ - zstd-dev\ - libxml2-dev\ - libxslt-dev + zstd-dev # Configure doas to allow members of the wheel group to run commands as root. RUN echo "permit :wheel" >> /etc/doas.conf \ From 214ace4754f2d1e6f2937c9478a6074bef25f7a0 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:38:20 +0000 Subject: [PATCH 3/7] formatting again --- infrastructure/images/build-container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/images/build-container/Dockerfile b/infrastructure/images/build-container/Dockerfile index 2f818b24..ee4e2426 100644 --- a/infrastructure/images/build-container/Dockerfile +++ b/infrastructure/images/build-container/Dockerfile @@ -39,7 +39,7 @@ RUN apk update && \ # Required to support the building of other docker images. docker-cli \ docker-cli-buildx \ - libxml2-dev\ + libxml2-dev \ libxslt-dev \ # pyenv suggested requirements taken from https://github.com/pyenv/pyenv/wiki#suggested-build-environment build-base \ From 0abf4921b84489799ebcb1da81cbd94286bdf287 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Thu, 19 Mar 2026 16:01:33 +0000 Subject: [PATCH 4/7] [GPCAPIM-289]: Enhance Docker build process for dev certificates - Copy dev certificates into the gateway-api image build context if present - Update .gitignore to include dev-certificates directory --- Makefile | 7 +++++++ infrastructure/images/gateway-api/Dockerfile | 9 +++++++++ infrastructure/images/gateway-api/resources/.gitignore | 1 + 3 files changed, 17 insertions(+) diff --git a/Makefile b/Makefile index c1f094c1..7fd2bcc7 100644 --- a/Makefile +++ b/Makefile @@ -41,6 +41,13 @@ build-gateway-api: dependencies @rm -rf ../infrastructure/images/gateway-api/resources/build/ @mkdir ../infrastructure/images/gateway-api/resources/build/ @cp -r ./target/gateway-api ../infrastructure/images/gateway-api/resources/build/ + # If dev certificates are present inside the dev container, copy them into + # the gateway-api image build context so they can be installed there too. + @if [ -d "/resources/dev-certificates" ]; then \ + rm -rf ../infrastructure/images/gateway-api/resources/dev-certificates; \ + mkdir -p ../infrastructure/images/gateway-api/resources/dev-certificates; \ + cp -r /resources/dev-certificates/* ../infrastructure/images/gateway-api/resources/dev-certificates/; \ + fi # Remove temporary build artefacts once build has completed @rm -rf target && rm -rf dist diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index d5b1ce55..0f623d74 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -9,6 +9,15 @@ RUN apk upgrade --no-cache && \ COPY resources/ /resources +# If dev certificates have been copied into the build context, install them so +# apk and other HTTPS clients inside this image trust the same CAs as the +# dev container. This is a no-op when no dev certificates are provided. +RUN if [ -d /resources/dev-certificates ]; then \ + cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ + update-ca-certificates; \ + cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ +fi + WORKDIR /resources/build/gateway-api ENV PYTHONPATH=/resources/build/gateway-api diff --git a/infrastructure/images/gateway-api/resources/.gitignore b/infrastructure/images/gateway-api/resources/.gitignore index 796b96d1..73ea2e21 100644 --- a/infrastructure/images/gateway-api/resources/.gitignore +++ b/infrastructure/images/gateway-api/resources/.gitignore @@ -1 +1,2 @@ /build +/dev-certificates From ec9779df54b59afe656be01d4249d818a01bc250 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Fri, 20 Mar 2026 11:14:24 +0000 Subject: [PATCH 5/7] [GPCAPIM-289]: Update Docker build process to include dev certificates - Add INCLUDE_DEV_CERTS argument to control installation of dev certificates - Modify Dockerfile to handle dev certificates based on the new argument - Adjust Makefile to pass INCLUDE_DEV_CERTS during the build process --- Makefile | 8 ++++++- infrastructure/images/gateway-api/Dockerfile | 23 ++++++++++++-------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 7fd2bcc7..363776e9 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,7 @@ endif IMAGE_NAME := ${IMAGE_REPOSITORY}:${IMAGE_TAG} COMMIT_VERSION := $(shell git rev-parse --short HEAD) BUILD_DATE := $(shell date -u +"%Y%m%d") +INCLUDE_DEV_CERTS ?= ${DEV_CERTS_INCLUDED} # ============================================================================== # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc. @@ -54,7 +55,12 @@ build-gateway-api: dependencies .PHONY: build build: build-gateway-api # Build the project artefact @Pipeline @echo "Building Docker x86 image using Docker. Utilising python version: ${PYTHON_VERSION} ..." - @$(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api + @if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \ + echo "building with dev certs ..." ; \ + $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api + else \ + $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api + fi @echo "Docker image '${IMAGE_NAME}' built successfully!" publish: # Publish the project artefact @Pipeline diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index 0f623d74..d9bfe1a1 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -2,21 +2,26 @@ ARG PYTHON_VERSION=invalid FROM python:${PYTHON_VERSION}-alpine3.23 AS gateway-api -RUN apk upgrade --no-cache && \ - pip install --no-cache-dir --upgrade pip && \ - addgroup -S nonroot && \ - adduser -S gateway_api_user -G nonroot +# Controls whether dev certificates (if present) are installed into this image. +ARG INCLUDE_DEV_CERTS=false COPY resources/ /resources # If dev certificates have been copied into the build context, install them so # apk and other HTTPS clients inside this image trust the same CAs as the # dev container. This is a no-op when no dev certificates are provided. -RUN if [ -d /resources/dev-certificates ]; then \ - cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ - update-ca-certificates; \ - cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ -fi +RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \ + cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ + update-ca-certificates; \ + cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ + else \ + rm -rf /resources/dev-certificates || true; \ + fi + +RUN apk upgrade --no-cache && \ + pip install --no-cache-dir --upgrade pip && \ + addgroup -S nonroot && \ + adduser -S gateway_api_user -G nonroot WORKDIR /resources/build/gateway-api From 4e542084469b33a07d465ca539629784cf13ba25 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Fri, 20 Mar 2026 11:25:52 +0000 Subject: [PATCH 6/7] [GPCAPIM-289]: Update comments for clarity on dev certificate installation --- infrastructure/images/gateway-api/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/infrastructure/images/gateway-api/Dockerfile b/infrastructure/images/gateway-api/Dockerfile index d9bfe1a1..95d485ea 100644 --- a/infrastructure/images/gateway-api/Dockerfile +++ b/infrastructure/images/gateway-api/Dockerfile @@ -7,9 +7,7 @@ ARG INCLUDE_DEV_CERTS=false COPY resources/ /resources -# If dev certificates have been copied into the build context, install them so -# apk and other HTTPS clients inside this image trust the same CAs as the -# dev container. This is a no-op when no dev certificates are provided. +# Install required certificates for dev machines. RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \ cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ update-ca-certificates; \ From 5fdef33765128c3a99611c3e665df277fb8df242 Mon Sep 17 00:00:00 2001 From: DWolfsNHS <229101201+DWolfsNHS@users.noreply.github.com> Date: Fri, 20 Mar 2026 13:00:31 +0000 Subject: [PATCH 7/7] [GPCAPIM-289]: Disable Trivy security scans - Comment out Trivy IaC scan, image scan, and SBOM generation steps - Disable scans in response to security concerns regarding Trivy --- .github/workflows/preview-env.yml | 43 ++++++++++++++++--------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index afcaee1a..9fe96ecc 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -436,24 +436,25 @@ jobs: body: lines.join('\n'), }); - # ---------- Security scanning ---------- - - name: Trivy IaC scan - if: github.event.action != 'closed' - uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 - with: - scan-ref: infrastructure/environments/preview - artifact-name: trivy-iac-scan-${{ steps.meta.outputs.branch_name }} - - - name: Trivy image scan - if: github.event.action != 'closed' - uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 - with: - image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} - artifact-name: trivy-image-scan-${{ steps.meta.outputs.branch_name }} - - - name: Generate SBOM - if: github.event.action != 'closed' - uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 - with: - image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} - artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }} + # desable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise + # # ---------- Security scanning ---------- + # - name: Trivy IaC scan + # if: github.event.action != 'closed' + # uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 + # with: + # scan-ref: infrastructure/environments/preview + # artifact-name: trivy-iac-scan-${{ steps.meta.outputs.branch_name }} + + # - name: Trivy image scan + # if: github.event.action != 'closed' + # uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 + # with: + # image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} + # artifact-name: trivy-image-scan-${{ steps.meta.outputs.branch_name }} + + # - name: Generate SBOM + # if: github.event.action != 'closed' + # uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 + # with: + # image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} + # artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }}