CCM-13343: Trivy Package and Library Scans

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,6 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
+- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
 
 ---
 

.github/actions/trivy-iac/action.yaml

@@ -0,0 +1,18 @@
+name: "Trivy IaC Scan"
+description: "Scan Terraform IaC using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Terraform IaC Scan"
+      shell: bash
+      run: |
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "Trivy misconfigurations detected."
+          exit 1
+        fi

.github/actions/trivy-package/action.yaml

@@ -0,0 +1,16 @@
+name: "Trivy Package Scan"
+description: "Scan project packages using Trivy"
+runs:
+  using: "composite"
+  steps:
+    - name: "Trivy Package Scan"
+      shell: bash
+      run: |
+        exit_code=0
+
+        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+
+        if [ $exit_code -ne 0 ]; then
+          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+          exit 1
+        fi

.github/workflows/cicd-1-pull-request.yaml

@@ -32,6 +32,7 @@ jobs:
       version: ${{ steps.variables.outputs.version }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
+      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5.0.0
@@ -68,6 +69,26 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
+      - name: "Determine if Trivy package scan should be skipped"
+        id: skip_trivy
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [[ -z "$PR_NUMBER" ]]; then
+            echo "No pull request detected; Trivy package scan will run."
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+          echo "Labels on PR #$PR_NUMBER: $labels"
+
+          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+          else
+            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+          fi
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -105,6 +126,7 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
+      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit

.github/workflows/stage-1-commit.yaml

@@ -23,6 +23,10 @@ on:
         description: "Python version, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      skip_trivy_package:
+        description: "Skip Trivy package scan when true"
+        type: boolean
+        default: false
       terraform_version:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
@@ -146,21 +150,39 @@ jobs:
         uses: actions/checkout@v5.0.0
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  trivy:
-    name: "Trivy Scan"
+  trivy-iac:
+    name: "Trivy IaC Scan"
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@v4
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
+      - name: "Perform Setup"
+        uses: ./.github/actions/setup
+      - name: "Trivy IaC Scan"
+        uses: ./.github/actions/trivy-iac
+  trivy-package:
+    if: ${{ !inputs.skip_trivy_package }}
+    name: "Trivy Package Scan"
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "Trivy Scan"
-        uses: ./.github/actions/trivy
+      - name: "Trivy Package Scan"
+        uses: ./.github/actions/trivy-package
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.trivyignore

@@ -0,0 +1 @@
+CVE-2025-68154 # Impacts Windows systems only. https://nvd.nist.gov/vuln/detail/CVE-2025-68154 Ticket to review: https://nhsd-jira.digital.nhs.uk/browse/CCM-13645

scripts/config/trivy.yaml

@@ -4,3 +4,4 @@ exit-code: 1                  # When issues are found
 scan:
   skip-files:
     - "**/.terraform/**/*"
+    - "**/node_modules/**/*"