[GPCAPIM-289] - Add dependacies to dev container image#117
[GPCAPIM-289] - Add dependacies to dev container image#117neil-sproston merged 8 commits intomainfrom
Conversation
- Define STUB_SDS, STUB_PDS, and STUB_PROVIDER in the workflow environment
|
✅ Trivy gate: no Critical/High issues. Trivy IaC (Terraform) Summary
Findings (top 50)
|
|
✅ Trivy gate: no Critical/High vulnerabilities. Trivy Image Scan SummaryImage: 900119715266.dkr.ecr.eu-west-2.amazonaws.com/whoami:bugfix-gpcapim-289
✅ No vulnerabilities found. |
|
✅ Trivy gate: no Critical/High vulnerabilities. Trivy Image Scan SummaryImage: 900119715266.dkr.ecr.eu-west-2.amazonaws.com/whoami:bugfix-gpcapim-289
✅ No vulnerabilities found. |
There was a problem hiding this comment.
Pull request overview
This PR updates the build/dev container image to include additional development libraries needed for building dependencies inside the container.
Changes:
- Add
libxml2-devandlibxslt-devto the Alpineapk addpackage list. - Adjust the package list around
zstd-devto include the new dependencies.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Adds missing native development libraries to the build/dev container image so Python packages that depend on libxml2/libxslt can compile successfully in the devcontainer/CI build environment.
Changes:
- Install
libxml2-devandlibxslt-devin the build-container image.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Copy dev certificates into the gateway-api image build context if present - Update .gitignore to include dev-certificates directory
There was a problem hiding this comment.
Pull request overview
Adds development-time dependencies and optional dev CA certificate propagation into the gateway-api image build context to better align trust stores between the dev container and the built image.
Changes:
- Ignore
resources/dev-certificatesin the gateway-api image build context. - Optionally copy dev certificates into the gateway-api Docker build context and install them in the gateway-api image when present.
- Add
libxml2-devandlibxslt-devto the build-container image to support builds needing those native libs.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| infrastructure/images/gateway-api/resources/.gitignore | Ignores dev certificate build-context directory. |
| infrastructure/images/gateway-api/Dockerfile | Installs dev CA certificates from the build context when provided. |
| infrastructure/images/build-container/Dockerfile | Adds XML/XSLT development libraries to the build container. |
| Makefile | Copies dev certificates into the gateway-api image build context when present. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add INCLUDE_DEV_CERTS argument to control installation of dev certificates - Modify Dockerfile to handle dev certificates based on the new argument - Adjust Makefile to pass INCLUDE_DEV_CERTS during the build process
- Comment out Trivy IaC scan, image scan, and SBOM generation steps - Disable scans in response to security concerns regarding Trivy
There was a problem hiding this comment.
Pull request overview
This PR updates the development/build container and gateway-api image build flow to support additional native build dependencies and optional installation of dev certificates during local containerized builds.
Changes:
- Add
libxml2-devandlibxslt-devto the build-container image to support building dependencies requiring libxml/libxslt headers. - Add an
INCLUDE_DEV_CERTSbuild arg and conditional dev-certificate install logic to the gateway-api Docker image, plus Makefile wiring to copy/pass certs when building inside the build container. - Disable Trivy IaC/image scanning and SBOM generation steps in the preview environment GitHub Actions workflow.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| infrastructure/images/gateway-api/resources/.gitignore | Ignores dev-certificates build-context content. |
| infrastructure/images/gateway-api/Dockerfile | Adds optional dev certificate installation during image build. |
| infrastructure/images/build-container/Dockerfile | Installs libxml/libxslt dev headers for native builds. |
| Makefile | Copies dev certs into image build context and conditionally passes INCLUDE_DEV_CERTS. |
| .github/workflows/preview-env.yml | Comments out Trivy scanning/SBOM steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \ | ||
| echo "building with dev certs ..." ; \ | ||
| $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} --build-arg INCLUDE_DEV_CERTS=${INCLUDE_DEV_CERTS} -t ${IMAGE_NAME} infrastructure/images/gateway-api | ||
| else \ | ||
| $(docker) buildx build --platform linux/amd64 --load --provenance=false --build-arg PYTHON_VERSION=${PYTHON_VERSION} --build-arg COMMIT_VERSION=${COMMIT_VERSION} --build-arg BUILD_DATE=${BUILD_DATE} -t ${IMAGE_NAME} infrastructure/images/gateway-api | ||
| fi |
There was a problem hiding this comment.
The build target checks IN_BUILD_CONTAINER with [[ -n ... ]], which treats any non-empty value (including "false") as true. This can route builds down the build-container branch unexpectedly and diverges from the earlier ifeq (${IN_BUILD_CONTAINER}, true) logic. Use an explicit equality check against "true" (or reuse the make-level condition) so the behavior is consistent and predictable.
| # desable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise | ||
| # # ---------- Security scanning ---------- | ||
| # - name: Trivy IaC scan | ||
| # if: github.event.action != 'closed' | ||
| # uses: nhs-england-tools/trivy-action/iac-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 | ||
| # with: | ||
| # scan-ref: infrastructure/environments/preview | ||
| # artifact-name: trivy-iac-scan-${{ steps.meta.outputs.branch_name }} | ||
|
|
||
| # - name: Trivy image scan | ||
| # if: github.event.action != 'closed' | ||
| # uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 | ||
| # with: | ||
| # image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} | ||
| # artifact-name: trivy-image-scan-${{ steps.meta.outputs.branch_name }} | ||
|
|
||
| # - name: Generate SBOM | ||
| # if: github.event.action != 'closed' | ||
| # uses: nhs-england-tools/trivy-action/image-scan@289984b2f03034233a347d6dbadecd5ca9ea9634 | ||
| # with: | ||
| # image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} | ||
| # artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }} |
There was a problem hiding this comment.
This PR is described as adding dev-container dependencies, but this change disables all Trivy scanning/SBOM generation for preview environments. That’s a significant security/operational change; consider moving it to a dedicated PR (or gate it behind a temporary flag) and add a clear tracking link (issue/incident) plus an explicit plan/condition for re-enabling scanning.
| with: | ||
| image-ref: ${{steps.meta.outputs.ecr_url}}:${{steps.meta.outputs.branch_name}} | ||
| artifact-name: trivy-sbom-${{ steps.meta.outputs.branch_name }} | ||
| # desable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise |
There was a problem hiding this comment.
Spelling: "desable" should be "disable" in this workflow comment to keep the rationale clear/searchable (especially since this is documenting a security-related change).
| # desable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise | |
| # disable trivy in light of attack https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise |
| COPY resources/ /resources | ||
|
|
||
| # Install required certificates for dev machines. | ||
| RUN if [ "$INCLUDE_DEV_CERTS" = "true" ] && [ -d /resources/dev-certificates ]; then \ | ||
| cp -r /resources/dev-certificates/* /usr/local/share/ca-certificates/; \ | ||
| update-ca-certificates; \ | ||
| cp -r /resources/dev-certificates/* /etc/ssl/certs/; \ | ||
| else \ | ||
| rm -rf /resources/dev-certificates || true; \ | ||
| fi | ||
|
|
||
| RUN apk upgrade --no-cache && \ | ||
| pip install --no-cache-dir --upgrade pip && \ | ||
| addgroup -S nonroot && \ | ||
| adduser -S gateway_api_user -G nonroot |
There was a problem hiding this comment.
Moving COPY resources/ /resources before the apk upgrade layer will invalidate the package-install/user-creation layer cache whenever application build artifacts change (which is likely on most builds), making rebuilds slower. Consider copying only the cert directory first (for the conditional cert install), keep OS setup (apk/pip/adduser) in earlier stable layers, and copy the full /resources/build/... later.
|
|
Deployment Complete
|
Include necessary development libraries in the dev contatiner.