New: [AEA-0000] - add anchore tools

.devcontainer/devcontainer.json

@@ -22,9 +22,6 @@
       "--network=host"
     ],
     "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
-    "postCreateCommand": "bash ${SCRIPTS_DIR}/post_create.sh",
-    "postStartCommand": "bash ${SCRIPTS_DIR}/post_start.sh",
-    "postAttachCommand": "bash ${SCRIPTS_DIR}/post_attach.sh",
     "features": {
     },
     "customizations": {

.github/dependabot.yml

@@ -16,7 +16,8 @@ updates:
     open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
-
+    cooldown:
+      default-days: 7
   ###################################
   # NPM workspace  ##################
   ###################################
@@ -30,6 +31,8 @@ updates:
     versioning-strategy: increase
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 7
 
   ###################################
   # Poetry  #########################
@@ -44,3 +47,5 @@ updates:
     versioning-strategy: increase
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 7

.github/workflows/build_all_images.yml

@@ -11,8 +11,11 @@ name: build_all_images
       NO_CACHE:
         required: true
         type: boolean
-env:
-  BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
+permissions:
+  attestations: write
+  contents: read
+  packages: write
+  id-token: write
 jobs:
   discover_folders:
     runs-on: ubuntu-latest
@@ -22,6 +25,8 @@ jobs:
       project_folders: ${{ steps.find-folders.outputs.projects }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - id: find-folders
         run: |

.github/workflows/build_multi_arch_image.yml

@@ -20,6 +20,7 @@ name: Build and push docker image
       EXTRA_COMMON:
         required: false
         type: string
+permissions: {}
 
 jobs:
   build_and_push_image:
@@ -63,11 +64,17 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: '24.14.0'
-
+      - name: setup syft and grype
+        run: |
+          mkdir -p "$RUNNER_TEMP/bin"
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.syft" src/base/.devcontainer/
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.grype" src/base/.devcontainer/
+          echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
       - name: make install
         run: |
           make install-node
@@ -92,32 +99,18 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
           BASE_FOLDER: "${{ inputs.base_folder }}"
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          EXIT_CODE: 0
-          EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-      #   name: Upload scan results
-      #   with:
-      #     name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
-      #     path: .out/scan_results_docker.json
-      # - name: Check docker vulnerabilities - table output
-      #   run: |
-      #     make scan-image
-      #   env:
-      #     CONTAINER_NAME: '${{ inputs.container_name }}'
-      #     BASE_FOLDER: "${{ inputs.base_folder }}"
-      #     IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-      #     EXIT_CODE: "1"
-      #     EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - name: Show docker vulnerability output
-      #   if: always()
-      #   run: |
-      #     echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
-      #     if [ -f .out/scan_results_docker.txt ]; then
-      #       cat .out/scan_results_docker.txt
-      #     fi
-      #   env:
-      #     ARCHITECTURE: '${{ matrix.arch }}'
-      #     DOCKER_TAG: '${{ inputs.docker_tag }}'
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: Upload scan results
+        with:
+          name: "grype_${{ inputs.container_name }}_${{ inputs.docker_tag }}-${{ matrix.arch }}.json"
+          path: .grype_out/grype_${{ inputs.container_name }}_${{ inputs.docker_tag }}-${{ matrix.arch }}.json
+      - name: Check docker vulnerabilities - text output
+        run: |
+          make scan-image
+        env:
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_FOLDER: "${{ inputs.base_folder }}"
+          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
       - name: Push tagged image and rebuild for github actions
         run: |
           echo "Pushing image..."

.github/workflows/ci.yml

@@ -2,12 +2,17 @@ name: merge to main workflow
 on:
   push:
     branches: [main]
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: true
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
@@ -27,11 +32,15 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
   build_all_images:
     needs: 
       - tag_release
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: false

.github/workflows/delete_old_images.yml

@@ -7,6 +7,7 @@ on:
     - cron: "0 1 * * 6"
   push:
     branches: [main]
+permissions: {}
 
 jobs:
   delete-old-pushed-images:
@@ -21,8 +22,8 @@ jobs:
       - name: Checkout local code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
+          persist-credentials: false
 
       - name: delete unused images
         shell: bash

.github/workflows/pull_request.yml

@@ -3,20 +3,25 @@ name: pull_request
   pull_request:
     branches:
       - main
-env:
-  BRANCH_NAME: '${{ github.event.pull_request.head.ref }}'
+permissions: {}
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
       AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: false
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
@@ -26,8 +31,9 @@ jobs:
     secrets:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
-    uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
+    permissions:
+      pull-requests: write
   get_issue_number:
     runs-on: ubuntu-22.04
     needs: quality_checks
@@ -63,7 +69,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: '${{ env.BRANCH_NAME }}'
+          persist-credentials: false
       - name: Get Commit ID
         id: commit_id
         run: |
@@ -75,6 +81,11 @@ jobs:
       - get_issue_number
       - get_commit_id
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
       tag_latest: false

.github/workflows/release.yml

@@ -3,12 +3,17 @@ on:
   workflow_dispatch:
   schedule:
     - cron: "0 18 * * 3"
+permissions: {}
 
 jobs:
   get_config_values:
     uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     with:
       verify_published_from_main_image: false
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@f2d4d6942115472d3f08316cd25f400b02a9dc69
     needs:
@@ -34,6 +39,11 @@ jobs:
     needs: 
       - tag_release
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: true

.gitignore

@@ -4,4 +4,5 @@ src/base/.devcontainer/language_versions/
 .trivyignore_combined.yaml
 .out/
 .envrc
+.sbom/
 .grype_out/

.grype.yaml

@@ -0,0 +1,65 @@
+ignore:
+  # base image
+  - vulnerability: CVE-2025-4517
+  - vulnerability: CVE-2025-68121
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+  - vulnerability: GHSA-vmwr-mc7x-5vc3
+  - vulnerability: CVE-2025-4330
+  - vulnerability: CVE-2025-4435
+  - vulnerability: CVE-2025-4138
+  - vulnerability: CVE-2025-8194
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2024-9287
+  - vulnerability: CVE-2025-61726
+  - vulnerability: CVE-2026-4519
+  - vulnerability: CVE-2026-25679
+  - vulnerability: CVE-2025-61725
+  - vulnerability: CVE-2025-61723
+  - vulnerability: CVE-2025-61729
+  - vulnerability: GHSA-4vrq-3vrq-g6gg
+  - vulnerability: CVE-2025-58187
+  - vulnerability: CVE-2026-27137
+  - vulnerability: CVE-2025-47907
+  - vulnerability: CVE-2025-61731 
+  - vulnerability: GHSA-9h8m-3fm2-qjrq
+  - vulnerability: CVE-2025-61732
+  - vulnerability: GHSA-4c29-8rgm-jvjj
+  - vulnerability: CVE-2025-58188
+  - vulnerability: CVE-2025-4674
+  - vulnerability: GHSA-x744-4wpc-v9h2
+# node_24 vulnerabilities
+  - vulnerability: GHSA-c2c7-rcm5-vvqj
+  - vulnerability: GHSA-7r86-cg39-jmmj
+  - vulnerability: GHSA-3ppc-4f35-3m26
+  - vulnerability: GHSA-23c5-xmqv-rm74
+  - vulnerability: GHSA-9ppj-qmqm-q256
+  - vulnerability: GHSA-qffp-2rhf-9h96 
+  - vulnerability: GHSA-83g3-92jg-28cx
+# node_24_python_3_10 vulnerabilities
+  - vulnerability: GHSA-cx63-2mw6-8hw5
+  - vulnerability: GHSA-r9hx-vwmv-q579
+  - vulnerability: GHSA-5rjg-fvgr-3xxf
+# eps-storage-terraform vulnerabilities
+  - vulnerability: CVE-2025-68119
+# eps-data-extract vulnerabilities
+  - vulnerability: GHSA-6fmv-xxpf-w3cw
+# fhir-facade vulnerabilities
+  - vulnerability: CVE-2022-26485
+  - vulnerability: CVE-2022-26486
+  - vulnerability: CVE-2022-25235
+  - vulnerability: CVE-2022-25236
+  - vulnerability: CVE-2024-21147
+  - vulnerability: CVE-2025-21587
+  - vulnerability: CVE-2025-30749
+  - vulnerability: CVE-2024-20952
+  - vulnerability: CVE-2024-20918
+  - vulnerability: CVE-2025-50106
+  - vulnerability: CVE-2025-50059
+  - vulnerability: CVE-2025-53066
+  - vulnerability: CVE-2026-21945
+  - vulnerability: CVE-2026-21932
+# node-24_python_3_14_java_24 vulnerabilities
+  - vulnerability: GHSA-6fmv-xxpf-w3cw
+  - vulnerability: CVE-2025-53066
+  - vulnerability: CVE-2026-21945
+  - vulnerability: CVE-2026-21932

Makefile

@@ -64,7 +64,15 @@ build-all: build-base-image build-node-24-image build-node-24-python-3-10-image
 	build-eps-storage-terraform-image build-eps-data-extract-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \
 	build-regression-tests-image
 
-build-image: guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
+build-syft:
+	docker build -f src/base/.devcontainer/Dockerfile.syft --tag local_syft src/base/.devcontainer/
+build-grype:
+	docker build -f src/base/.devcontainer/Dockerfile.grype --tag local_grype src/base/.devcontainer/
+
+build-grant:
+	docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant src/base/.devcontainer/
+
+build-image: build-syft build-grype build-grant guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	workspace_folder="$${CONTAINER_NAME}"; \
 	case "$${CONTAINER_NAME}" in \
 		eps_*) workspace_folder="$$(printf '%s' "$${CONTAINER_NAME}" | tr '_' '-')" ;; \
@@ -86,12 +94,17 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG
 		--load \
 		-t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \
 		.
-
-scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER
-	echo "Not implemented"
+scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
+	grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \
+		--scope all-layers \
+		--sort-by severity \
+		--fail-on high
 
 scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
-	echo "Not implemented"
+	grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \
+		--scope all-layers \
+		--output json \
+		--file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.json" 
 
 shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG
 	docker run -it \