Chore: [AEA-0000] - verify trivy download before installing it#58
Chore: [AEA-0000] - verify trivy download before installing it#58anthony-nhs wants to merge 16 commits intomainfrom
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
There was a problem hiding this comment.
Pull request overview
This PR aims to change how Trivy is installed/used in CI by downloading verified Trivy binaries (and installing Cosign to verify them), rather than relying on aquasecurity/setup-trivy.
Changes:
- Add shell installers for Cosign and Trivy, and update workflows to upload/download Trivy binaries as an artifact.
- Update the repo devcontainer to install Cosign/Trivy and expand PATH/tooling (adds Go via asdf).
- Add multiple Trivy report templates under
contrib/and replace README/LICENSE content.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/install_trivy.sh |
New Trivy download/verify/install script (Cosign-based). |
scripts/install_cosign.sh |
New Cosign download/verify/install script (TUF + signature verification). |
.github/workflows/build_all_images.yml |
Adds a download_trivy job that installs Cosign/Trivy and uploads a Trivy artifact. |
.github/workflows/build_multi_arch_image.yml |
Switches from setup-trivy action to downloading Trivy artifact and copying it into place. |
.devcontainer/Dockerfile |
Installs Go plugin and runs the new Cosign/Trivy installer scripts. |
.tool-versions |
Removes Trivy from asdf tool list; adds Go version for the repo devcontainer/toolchain. |
package.json / package-lock.json |
Adds @tufjs/cli dependency (large lockfile churn). |
contrib/*.tpl |
Adds Trivy output templates (JUnit/HTML/GitLab/ASFF/etc). |
README.md |
Replaced with Trivy upstream-style README content. |
LICENSE |
Replaced with Apache-2.0 license text. |
Comments suppressed due to low confidence (1)
.github/workflows/build_all_images.yml:72
build_multi_arch_image.ymlnow downloads thetrivyartifact, but none of the image-packaging jobs here depend ondownload_trivy. That creates a race whereactions/download-artifactcan run before the artifact is uploaded and fail. Addneeds: [download_trivy, ...]topackage_base_docker_image(and transitively ensure all other jobs wait for it), or wire the trivy download/upload differently.
package_base_docker_image:
uses: ./.github/workflows/build_multi_arch_image.yml
with:
tag_latest: ${{ inputs.tag_latest }}
docker_tag: ${{ inputs.docker_tag }}
container_name: base
base_folder: "."
NO_CACHE: ${{ inputs.NO_CACHE }}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # setup tuf-client | ||
| SIGSTORE_ROOT_PATH="$TMP_DIR/sigstore-root.json" | ||
| curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json |
There was a problem hiding this comment.
The trusted Sigstore root is fetched from refs/heads/main (10.root.json). Pulling trust material from a moving branch makes verification less reproducible and increases supply-chain risk. Prefer pinning this URL to a specific commit SHA (or a signed, versioned release artifact) so the installer always uses a known root.
| curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/metadata/root_history/10.root.json | |
| curl -o "$SIGSTORE_ROOT_PATH" https://raw.githubusercontent.com/sigstore/root-signing/39c787b931c9791667235b3a5229ae58f12f1b4a/metadata/root_history/10.root.json |
| usage() { | ||
| cat <<'EOF' | ||
| Usage: install_trivy.sh [output_dir] | ||
|
|
||
| Downloads Trivy v0.69.3, its sigstore bundle, and checksum into output_dir (default: current directory), | ||
| then verifies the checksum and the sigstore bundle, following | ||
| https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md. | ||
| EOF | ||
| } | ||
|
|
||
| if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then | ||
| usage | ||
| exit 0 | ||
| fi | ||
|
|
||
| for cmd in curl cosign sha256sum; do | ||
| if ! command -v "$cmd" >/dev/null 2>&1; then | ||
| echo "Error: $cmd is required but not found in PATH" >&2 | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
install_trivy.sh help text and dependencies don't match the implementation: the script doesn't accept an output_dir argument (it only uses INSTALL_DIR env var), it claims to download/verify a checksum but never downloads any checksum file, and sha256sum is required but never used. Align the usage text + required commands with reality, or implement checksum download + verification if that's intended.
anthony-nhs
changed the title
Summary
Details