WIP

ministryofjustice · May 31, 2024 · a86b585 · a86b585
1 parent 67cd136
commit a86b585
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/.github/workflows/ansible-aws-image-build.yml b/.github/workflows/ansible-aws-image-build.yml
@@ -67,6 +67,11 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
       - name: Download artifact
         uses: actions/download-artifact@v4
         with:
@@ -86,7 +91,7 @@ jobs:
           image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}'
           exit-code: '1'
           scan-type: 'image'
-          trivyignores: '.trivyignore'
+          trivyignores: 'docker/delius-ansible-aws/.trivyignore.yaml'
           ignore-unfixed: 'true'
           output: 'trivy-results.sarif'
       - name: Upload Trivy scan results to GitHub Security tab
@@ -120,18 +125,18 @@ jobs:
           TAG_CONTEXT: repo # Making this default visible
           PRERELEASE: ${{ github.base_ref != 'refs/heads/main' }}
           PRERELEASE_SUFFIX: ${{ github.base_ref }} # Branch name
-      
+
       - name: Create safe tag
         id: safe_tag
         run: |
           echo "SAFE_TAG=$(echo ${{ steps.bump-version.outputs.new_tag }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT
-      
+
       - name: Download Artifact
         uses: actions/download-artifact@v4
         with:
           name: ansible-aws-image
           path: /tmp
-          
+
       - name: Load and retag image for publish
         run: |
           docker load --input /tmp/ansible-aws-image.tar
@@ -147,4 +152,3 @@ jobs:
       - name: Publish image
         run: docker push ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }}
 
-
diff --git a/docker/delius-ansible-aws/.trivyignore b/docker/delius-ansible-aws/.trivyignore
diff --git a/docker/delius-ansible-aws/.trivyignore.yaml b/docker/delius-ansible-aws/.trivyignore.yaml
@@ -0,0 +1,11 @@
+# Trivy Ignore file https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/
+vulnerabilities:
+  - id: CVE-2022-40897
+    paths:
+      - usr/local/lib/python3.12/site-packages/ansible_collections/kaytus/ksmanage/venv/Lib/site-packages/setuptools-57.0.0.dist-info/METADATA
+      - usr/local/lib/python3.12/site-packages/ansible_collections/inspur/ispim/venv/Lib/site-packages/setuptools-57.0.0.dist-info/METADATA
+
+  - id: CVE-2022-40898
+    paths:
+      - usr/local/lib/python3.12/site-packages/ansible_collections/kaytus/ksmanage/venv/Lib/site-packages/wheel-0.36.2.dist-info/METADATA
+      - usr/local/lib/python3.12/site-packages/ansible_collections/inspur/ispim/venv/Lib/site-packages/wheel-0.36.2.dist-info/METADATA
diff --git a/docker/delius-ansible-aws/Dockerfile b/docker/delius-ansible-aws/Dockerfile
@@ -16,7 +16,6 @@ RUN if curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ub
   dpkg -i session-manager-plugin.deb; \
   fi
 
-
 # Pip
 COPY requirements.txt requirements.yml ./
 RUN pip install -U pip && pip install --upgrade -r requirements.txt \
-Original file line number
+Diff line change
@@ Expand Up @@
       dpkg -i session-manager-plugin.deb; \
       fi
     # Pip
     COPY requirements.txt requirements.yml ./
     RUN pip install -U pip && pip install --upgrade -r requirements.txt \
@@ Expand Down @@