Drift from template

m-houston · github-actions[bot] · commit 10f3c5c77be4 · 2025-06-01T00:35:24.000Z
diff --git a/.github/actions/create-lines-of-code-report/action.yaml b/.github/actions/create-lines-of-code-report/action.yaml
@@ -44,7 +44,7 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
@@ -58,7 +58,7 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
@@ -0,0 +1,17 @@
+name: "Trivy Scan"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IAC Scan"
+      shell: bash
+      run: |
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -1,5 +1,6 @@
 # SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:sonar-api-token:37
 96096685ab3d6876671e2bc9a6ff4d48fc56e521:src/helloworld/helloworld.sln:ipv4:4
 4f4e8c15629b2cb09356a7fed4d72953590227ce:docs/Gemfile.lock:ipv4:4
diff --git a/.tool-versions b/.tool-versions
@@ -3,6 +3,7 @@ gitleaks 8.18.4
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
+trivy 0.61.0
 tfsec 1.28.10
 vale 3.6.0
 poetry 1.8.3
diff --git a/infrastructure/terraform/bin/terraform.sh b/infrastructure/terraform/bin/terraform.sh
@@ -539,24 +539,26 @@ fi;
 [ -f "${dynamic_file_path}" ] && tf_var_file_paths+=("${dynamic_file_path}");
 
 # Warn on duplication
-duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
-[ -n "${duplicate_variables}" ] \
-  && echo -e "
-###################################################################
-# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
-###################################################################
-The following input variables appear to be duplicated:
-
-${duplicate_variables}
-
-This could lead to unexpected behaviour. Overriding of variables
-has previously been unpredictable and is not currently supported,
-but it may work.
-
-Recent changes to terraform might give you useful overriding and
-map-merging functionality, please use with caution and report back
-on your successes & failures.
-###################################################################";
+if [ ${#tf_var_file_paths[@]} -gt 0 ]; then
+  duplicate_variables="$(cat "${tf_var_file_paths[@]}" | sed -n -e 's/\(^[a-zA-Z0-9_\-]\+\)\s*=.*$/\1/p' | sort | uniq -d)";
+  [ -n "${duplicate_variables}" ] \
+    && echo -e "
+  ###################################################################
+  # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING #
+  ###################################################################
+  The following input variables appear to be duplicated:
+
+  ${duplicate_variables}
+
+  This could lead to unexpected behaviour. Overriding of variables
+  has previously been unpredictable and is not currently supported,
+  but it may work.
+
+  Recent changes to terraform might give you useful overriding and
+  map-merging functionality, please use with caution and report back
+  on your successes & failures.
+  ###################################################################";
+fi
 
 # Build up the tfvars arguments for terraform command line
 for file_path in "${tf_var_file_paths[@]}"; do
@@ -791,8 +793,8 @@ case "${action}" in
     ;;
   *)
     echo -e "Generic action case invoked. Only the additional arguments will be passed to terraform, you break it you fix it:";
-    echo -e "\tterraform ${action} ${extra_args}";
-    terraform "${action}" ${extra_args} \
+    echo -e "\tterraform ${action} ${extra_args} | tee terraform_output";
+    terraform "${action}" ${extra_args} | tee terraform_output \
       || error_and_die "Terraform ${action} failed.";
     ;;
 esac;
diff --git a/scripts/config/.repository-template-sync-ignore b/scripts/config/.repository-template-sync-ignore
@@ -1,4 +1,10 @@
 # Files and folders to ignore when syncing nhs-notify-repository-template back in to this repository
+.editorconfig
+.gitleaksignore
+/Makefile
+scripts/config/sonar-scanner.properties
+scripts/tests/
+scripts/**/examples/
 .github/workflows/
 .github/CODEOWNERS
 nhs-notify-repository-template/
diff --git a/scripts/config/.repository-template-sync-merge b/scripts/config/.repository-template-sync-merge
@@ -3,5 +3,6 @@ scripts/config/.repository-template-sync-ignore
 scripts/config/.repository-template-sync-merge
 .tool-versions
 .gitignore
+scripts/config/vale/vale.ini
 scripts/config/vale/styles/config/vocabularies/words/accept.txt
 scripts/config/vale/styles/config/vocabularies/words/reject.txt
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
@@ -1,4 +1,5 @@
 # SEE: https://github.com/gitleaks/gitleaks/#configuration
+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync
 
 [extend]
 useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -9,7 +9,6 @@ repos:
       - id: check-symlinks
       - id: detect-private-key
       - id: end-of-file-fixer
-        exclude: .+\.cs
       - id: forbid-new-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
diff --git a/scripts/config/trivy.yaml b/scripts/config/trivy.yaml
@@ -0,0 +1,6 @@
+---
+severity: MEDIUM              # Minimum reported findings
+exit-code: 1                  # When issues are found
+scan:
+  skip-files:
+    - "**/.terraform/**/*"
diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
@@ -9,6 +9,7 @@ drawio
 endcapture
 endfor
 endraw
+Git[Hh]ub
 GitHub
 Gitleaks
 Grype
diff --git a/scripts/githooks/sort-dictionary.sh b/scripts/githooks/sort-dictionary.sh
@@ -25,7 +25,8 @@ function main() {
   mv $root/accept.sorted.txt $root/accept.txt
   mv $root/reject.sorted.txt $root/reject.txt
 
-  git add -uv $root/*
+  # Update the sorted files in the staged git index
+  git add --update --verbose $root/*
 }
 
 # ==============================================================================
diff --git a/scripts/githooks/sync-template-repo.sh b/scripts/githooks/sync-template-repo.sh
@@ -42,15 +42,13 @@ if [ ! -f "${MERGE_FILE}" ]; then
   echo "# Files and folders to merge when syncing ${TEMPLATE_REPO_DIR} back in to this repository" > ${MERGE_FILE}
 fi
 
-# Read the .template-ignore file into an array
-while IFS= read -r line || [ -n "$line" ]; do
-  IGNORED_PATHS+=("$line")
-done < "$IGNORE_FILE"
+TMP_SYNC_IGNORE=${PWD}/tmp-sync-ignore
+mkdir -p "${TMP_SYNC_IGNORE}"
+cp "${IGNORE_FILE}" "${TMP_SYNC_IGNORE}/.gitignore"
 
-# Read the .template-merge file into an array
-while IFS= read -r line || [ -n "$line" ]; do
-  MERGED_PATHS+=("$line")
-done < "$MERGE_FILE"
+TMP_SYNC_MERGE=${PWD}/tmp-sync-merge
+mkdir -p "${TMP_SYNC_MERGE}"
+cp "${MERGE_FILE}" "${TMP_SYNC_MERGE}/.gitignore"
 
 # Check if a file is ignored.
 is_ignored() {
@@ -61,27 +59,25 @@ is_ignored() {
     return 0
   fi
 
-  for ignored in "${IGNORED_PATHS[@]}"; do
-    if [[ -n "$ignored" && "$file" =~ $ignored ]]; then
-      return 0
-    fi
-  done
-  return 1
+  pushd "${TMP_SYNC_IGNORE}" > /dev/null
+  git check-ignore -q "${file}"
+  R=$?
+  popd > /dev/null
+  return $R
 }
 
 is_merge() {
   local file=${1}
 
-  for merged in "${MERGED_PATHS[@]}"; do
-    if [[ -n "$merged" && "$file" =~ $merged ]]; then
-      return 0
-    fi
-  done
-  return 1
+  pushd "${TMP_SYNC_MERGE}" > /dev/null
+  git check-ignore -q "${file}"
+  R=$?
+  popd > /dev/null
+  return $R
 }
 
 # Navigate to the template directory
-cd "${TEMPLATE_REPO_DIR}" || exit
+pushd "${TEMPLATE_REPO_DIR}" || exit
 FILES_ADDED=()
 FILES_WITH_CHANGES=()
 
@@ -127,6 +123,9 @@ while IFS= read -r -d '' file || [[ -n $file ]]; do
   fi
 done < <(find . -type f -print0)
 
+popd
+rm -rf "${TMP_SYNC_IGNORE}" "${TMP_SYNC_MERGE}"
+
 echo ------------------------------------------
 echo "${#FILES_ADDED[@]} files added, ${#FILES_WITH_CHANGES[@]} files with changes detected."
 
diff --git a/scripts/init.mk b/scripts/init.mk
@@ -7,7 +7,7 @@ include scripts/tests/test.mk
 # ==============================================================================
 
 runner-act: # Run GitHub Actions locally - mandatory: workflow=[workflow file name], job=[job name] @Development
-	source ./scripts/docker/docker.lib.sh
+	. ./scripts/docker/docker.lib.sh
 	act $(shell [[ "${VERBOSE}" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$$ ]] && echo --verbose) \
 		--container-architecture linux/amd64 \
 		--platform ubuntu-latest=$$(name="ghcr.io/nhs-england-tools/github-runner-image" docker-get-image-version-and-pull) \
@@ -21,7 +21,7 @@ runner-act: # Run GitHub Actions locally - mandatory: workflow=[workflow file na
 		--job ${job}
 
 version-create-effective-file: # Create effective version file - optional: dir=[path to the VERSION file to use, default is '.'], BUILD_DATETIME=[build date and time in the '%Y-%m-%dT%H:%M:%S%z' format generated by the CI/CD pipeline, default is current date and time] @Development
-	source scripts/docker/docker.lib.sh
+	. ./scripts/docker/docker.lib.sh
 	version-create-effective-file
 
 shellscript-lint-all: # Lint all shell scripts in this project, do not fail on error, just print the error messages @Quality
diff --git a/scripts/maintenance/merge.js b/scripts/maintenance/merge.js
@@ -25,7 +25,7 @@ const tokenize = line => {
   if (line === '') {
     return [];
   }
-  return line.split(/\s+/).filter(x => x !== '#').slice(0, 1);
+  return line.split(/\s+|[:=]/).filter(x => x !== '#' && x !== '').slice(0, 1);
 };
 const lines1Tokens = lines1.flatMap(tokenize);
 
diff --git a/scripts/terraform/trivy.sh b/scripts/terraform/trivy.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# TFSec command wrapper. It will run the command natively if TFSec is
+# installed, otherwise it will run it in a Docker container.
+# Run tfsec for security checks on Terraform code.
+#
+# Usage:
+#   $ ./trivy.sh [directory]
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  local dir_to_scan=${1:-.}
+
+  if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    # shellcheck disable=SC2154
+    run-trivy-natively "$dir_to_scan"
+  else
+    run-trivy-in-docker "$dir_to_scan"
+  fi
+}
+
+# Run trivy on the specified directory.
+# Arguments:
+#   $1 - Directory to scan
+function run-trivy-natively() {
+
+  local dir_to_scan="$1"
+
+  echo "Trivy found locally, running natively"
+
+  echo "Running Trivy on directory: $dir_to_scan"
+  trivy config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
+
+  check-trivy-status
+}
+
+# Check the exit status of tfsec.
+function check-trivy-status() {
+
+  if [ $? -eq 0 ]; then
+    echo "Trivy completed successfully."
+  else
+    echo "Trivy found issues."
+    exit 1
+  fi
+}
+
+function run-trivy-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+  local dir_to_scan="$1"
+
+  # shellcheck disable=SC2155
+  local image=$(name=aquasec/trivy docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  echo "Trivy not found locally, running in Docker Container"
+  echo "Running Trivy on directory: $dir_to_scan"
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    --workdir /workdir \
+    "$image" \
+    config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
+    check-trivy-status
+}
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0
diff --git a/scripts/tests/test.mk b/scripts/tests/test.mk
@@ -51,12 +51,6 @@ test-ui: # Run your UI tests from scripts/test/ui @Testing
 test-ui-performance: # Run UI render tests from scripts/test/ui-performance @Testing
 	make _test name="ui-performance"
 
-test-product:
-	make _test name="product"
-
-test-data-cleanup:
-	make _test name="data-cleanup"
-
 test: # Run all the test tasks @Testing
 	make \
 		test-unit \
@@ -94,5 +88,4 @@ ${VERBOSE}.SILENT: \
 	test-security \
 	test-ui \
 	test-ui-performance \
-	test-product \
 	test-unit \

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`# SEE: https://github.com/gitleaks/gitleaks/#configuration`
	`2`	`+# Do not edit this file directly as it will be overwritten by changes from the nhs-notify-repository-template on next sync`
`2`	`3`
`3`	`4`	`[extend]`
`4`	`5`	`useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml`