New: [AEA-0000] - add anchore tools

[anthony-nhs]

Summary

• Routine Change

Details

• add syft
• add grype
• add grant

[github-actions]

This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket:

AEA-0000

[Copilot]

Pull request overview

Replaces the Trivy-based image scanning and ignore-file workflow with Anchore tooling (Syft/Grype), updates CI to install/run the new scanners, and removes Trivy ignore/config artifacts across images.

Changes:

• Remove Trivy config/ignore files and Trivy helper tooling/docs; disable Trivy make targets.
• Add verified install flow for Anchore tools (Syft/Grype) and wire them into the base devcontainer + CI workflow.
• Add zizmor (and cfn-lint for some images) via per-image requirements-user.txt, and expose a make zizmor target.

Reviewed changes

Copilot reviewed 49 out of 49 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
trivy.yaml	Removes repository-level Trivy ignorefile config.
src/projects/regression_tests/trivy.yaml	Removes project Trivy ignorefile config.
src/projects/regression_tests/.trivyignore.yaml	Removes project Trivy ignore list.
src/projects/node_24_python_3_14_java_24/trivy.yaml	Removes project Trivy ignorefile config.
src/projects/node_24_python_3_14_java_24/.trivyignore.yaml	Removes project Trivy ignore list.
src/projects/node_24_python_3_14_golang_1_24/trivy.yaml	Removes project Trivy ignorefile config.
src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml	Removes project Trivy ignore list.
src/projects/fhir_facade_api/trivy.yaml	Removes project Trivy ignorefile config.
src/projects/fhir_facade_api/.trivyignore.yaml	Removes project Trivy ignore list.
src/projects/fhir_facade_api/.devcontainer/.tool-versions	Pins Java to a specific patch version.
src/projects/eps-storage-terraform/trivy.yaml	Removes project Trivy ignorefile config.
src/projects/eps-storage-terraform/.trivyignore.yaml	Removes project Trivy ignore list.
src/languages/node_24_python_3_14/trivy.yaml	Removes language image Trivy ignorefile config.
src/languages/node_24_python_3_14/.trivyignore.yaml	Removes language image Trivy ignore list.
src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh	Switches to installing user pip tools from a requirements file.
src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt	Adds pinned zizmor and cfn-lint.
src/languages/node_24_python_3_13/trivy.yaml	Removes language image Trivy ignorefile config.
src/languages/node_24_python_3_13/.trivyignore.yaml	Removes language image Trivy ignore list marker.
src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh	Switches to installing user pip tools from a requirements file.
src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt	Adds pinned zizmor and cfn-lint.
src/languages/node_24_python_3_12/trivy.yaml	Removes language image Trivy ignorefile config.
src/languages/node_24_python_3_12/.trivyignore.yaml	Removes language image Trivy ignore list marker.
src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh	Switches to installing user pip tools from a requirements file.
src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt	Adds pinned zizmor and cfn-lint.
src/languages/node_24_python_3_10/trivy.yaml	Removes language image Trivy ignorefile config.
src/languages/node_24_python_3_10/.trivyignore.yaml	Removes language image Trivy ignore list.
src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh	Adds requirements-based pip installs.
src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt	Adds pinned zizmor.
src/common_node_24/Dockerfile	Attempts to copy requirements-user.txt into images built from this common Dockerfile.
src/common/.trivyignore.yaml	Removes common/base Trivy ignore list.
src/base_node/node_24/trivy.yaml	Removes base-node Trivy ignorefile config.
src/base/trivy.yaml	Removes base image Trivy ignorefile config.
src/base/.trivyignore.yaml	Removes base image Trivy ignore list marker.
src/base/.devcontainer/scripts/vscode_install.sh	Removes ASDF Trivy plugin installation.
src/base/.devcontainer/scripts/install_trivy.sh	Removes Trivy install script.
src/base/.devcontainer/scripts/install_anchore_tool.sh	Adds Syft/Grype installer with signature/checksum verification.
src/base/.devcontainer/Mk/trivy.mk	Strips out old commented Trivy target implementations (keeps “Not implemented”).
src/base/.devcontainer/Mk/check.mk	Adds zizmor make target.
src/base/.devcontainer/Dockerfile.trivy.arm64	Removes Trivy tool image definition.
src/base/.devcontainer/Dockerfile.trivy.amd64	Removes Trivy tool image definition.
src/base/.devcontainer/Dockerfile.syft	Adds Syft tool image definition.
src/base/.devcontainer/Dockerfile.grype	Adds Grype tool image definition.
src/base/.devcontainer/Dockerfile	Injects Syft/Grype binaries into the base devcontainer image; updates PATH.
scripts/trivy_to_trivyignore.py	Removes helper for generating .trivyignore from Trivy JSON output.
README.md	Removes Trivy docs; documents zizmor; notes Trivy targets will be removed later.
Makefile	Adds build steps for Syft/Grype tool images; replaces Trivy scan targets with Grype scan targets.
.trivyignore.yaml	Removes repository-level Trivy ignore list.
.github/workflows/build_multi_arch_image.yml	Replaces Trivy setup/scan with Syft/Grype setup + Grype scan + artifact upload.
.devcontainer/Dockerfile.bootstrap	Removes Trivy bootstrap installation steps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 33 changed files in this pull request and generated 11 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 36 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (3)

.github/workflows/release.yml:24

• This workflow sets permissions: {} globally but the quality_checks reusable-workflow job does not declare any job-level permissions. If the called workflow needs to checkout the repo (common), it will fail without at least contents: read; add the required job permissions (or provide a non-empty default at workflow level).

permissions: {}

jobs:
  get_config_values:
    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
    with:
      verify_published_from_main_image: false
    permissions:
      attestations: read
      contents: read
      packages: read
  quality_checks:
    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
    needs:
      - get_config_values
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
    secrets:
      SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'

.github/workflows/ci.yml:23

• This workflow sets permissions: {} globally but the quality_checks reusable-workflow job does not declare job-level permissions. If the called workflow performs a checkout or reads repo contents, it will fail without at least contents: read; add appropriate job permissions (or set a non-empty default at workflow level).

permissions: {}

jobs:
  get_config_values:
    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
    with:
      verify_published_from_main_image: true
    permissions:
      attestations: read
      contents: read
      packages: read
  quality_checks:
    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
    needs:
      - get_config_values
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
    secrets:
      SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'

.github/workflows/pull_request.yml:78

• get_commit_id now checks out the default PR ref and uses git rev-parse --short HEAD, which on pull_request events is typically the synthetic merge commit (refs/pull/.../merge), not the PR head commit. If image tags are expected to reflect the PR head SHA, set ref: ${{ github.event.pull_request.head.sha }} (or compute the short SHA from that value) to avoid tagging with the merge-commit SHA.

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          persist-credentials: false
      - name: Get Commit ID
        id: commit_id
        run: |
          #  echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
          echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
          echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 36 changed files in this pull request and generated 14 comments.

Comments suppressed due to low confidence (1)

.github/workflows/pull_request.yml:79

• This checkout now defaults to the PR merge ref, so sha_short will be for the merge commit rather than the PR head commit. If the intention is to tag images with the head SHA (as the previous ref: ${{ env.BRANCH_NAME }} did), explicitly checkout ${{ github.event.pull_request.head.sha }} (or set ref accordingly) before computing sha_short.

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          persist-credentials: false
      - name: Get Commit ID
        id: commit_id
        run: |
          #  echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
          echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
          echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
  build_all_images:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tstephen-nhs]

couple of questions added