New: [AEA-0000] - add syft and grype

.devcontainer/Dockerfile.bootstrap

@@ -1,16 +1,3 @@
-# This can be used to bootstrap devcontainer when no images have been pushed
-FROM alpine:3.23.3 AS build
-ARG TARGETARCH
-RUN apk add --no-cache cosign bash curl jq
-COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh
-RUN case "${TARGETARCH}" in \
-        x86_64|amd64) TRIVY_ARCH=64bit ;; \
-        aarch64|arm64) TRIVY_ARCH=ARM64 ;; \
-        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
-    esac \
-    && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh
-
-
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 ARG TARGETARCH
 ENV TARGETARCH=${TARGETARCH}
@@ -75,8 +62,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
     chmod 755 /usr/share/secrets-scanner && \
     curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
 
-COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy
-
 USER vscode
 
 ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin"

.github/workflows/build_multi_arch_image.yml

@@ -63,18 +63,16 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
-      # - name: setup trivy
-      #   run: |
-      #     mkdir -p "$RUNNER_TEMP/bin"
-      #     docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" .
-      #     echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
-      #  env:
-      #    ARCH: '${{ matrix.arch }}'
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: '24.14.0'
-
+      - name: setup syft and grype
+        run: |
+          mkdir -p "$RUNNER_TEMP/bin"
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.syft" src/base/.devcontainer/
+          docker build  --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.grype" src/base/.devcontainer/
+          echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
       - name: make install
         run: |
           make install-node
@@ -99,32 +97,28 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
           BASE_FOLDER: "${{ inputs.base_folder }}"
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-          EXIT_CODE: 0
-          EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-      #   name: Upload scan results
-      #   with:
-      #     name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
-      #     path: .out/scan_results_docker.json
-      # - name: Check docker vulnerabilities - table output
-      #   run: |
-      #     make scan-image
-      #   env:
-      #     CONTAINER_NAME: '${{ inputs.container_name }}'
-      #     BASE_FOLDER: "${{ inputs.base_folder }}"
-      #     IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
-      #     EXIT_CODE: "1"
-      #     EXTRA_COMMON: "${{ inputs.extra_common }}"
-      # - name: Show docker vulnerability output
-      #   if: always()
-      #   run: |
-      #     echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
-      #     if [ -f .out/scan_results_docker.txt ]; then
-      #       cat .out/scan_results_docker.txt
-      #     fi
-      #   env:
-      #     ARCHITECTURE: '${{ matrix.arch }}'
-      #     DOCKER_TAG: '${{ inputs.docker_tag }}'
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: Upload scan results
+        with:
+          name: "grype_${{ inputs.container_name }}_${{ matrix.arch }}.json"
+          path: .grype_out/grype_${{ inputs.container_name }}_${{ matrix.arch }}.json
+      - name: Check docker vulnerabilities - text output
+        run: |
+          make scan-image
+        env:
+          CONTAINER_NAME: '${{ inputs.container_name }}'
+          BASE_FOLDER: "${{ inputs.base_folder }}"
+          IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
+      - name: Show docker vulnerability output
+        if: always()
+        run: |
+          echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
+          if [ -f .out/scan_results_docker.txt ]; then
+            cat .out/scan_results_docker.txt
+          fi
+        env:
+          ARCHITECTURE: '${{ matrix.arch }}'
+          DOCKER_TAG: '${{ inputs.docker_tag }}'
       - name: Push tagged image and rebuild for github actions
         run: |
           echo "Pushing image..."