Chore: [AEA-0000] -verify installs

.github/workflows/build_all_images.yml

@@ -37,9 +37,9 @@ jobs:
 
   build_tool_images:
     # build common tool images with a lower scoped github token
-    # as it uses a 3rd party docker image with github cli installed to verify attestation of tflint binary
-    # and we dont want to make a high scoped token available to that image
-    # token needs attestation read so it can verify attestation of tflint binary
+    # as it uses a 3rd party docker image with github cli installed to verify attestation of binaries downloaded from github
+    # and we don't want to make a high scoped token available to that image
+    # token needs attestation read so it can verify attestation of binaries
     name: Build tool images for on ${{ matrix.arch }}
     runs-on: '${{ matrix.runner }}'
     strategy:
@@ -59,23 +59,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: build_grype
+      - name: build_tools
         run: |
-          make build-grype
+          make build-tools
           docker save "local_grype:latest" -o grype_image.tar
-      - name: build_syft
-        run: |
-          make build-syft
           docker save "local_syft:latest" -o syft_image.tar
-      - name: build_grant
-        run: |
-          make build-grant
           docker save "local_grant:latest" -o grant_image.tar
-
-      - name: build_tflint
-        run: |
-          make build-tflint
           docker save "local_tflint:latest" -o tflint_image.tar
+          docker save "local_zizmor:latest" -o zizmor_image.tar
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -88,6 +79,7 @@ jobs:
             syft_image.tar
             grant_image.tar
             tflint_image.tar
+            zizmor_image.tar
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
     permissions:

Makefile

@@ -13,7 +13,7 @@ guard-%:
 .PHONY: install install-python install-node install-hooks build-base-image build-node-24-image build-node-24-python-3-10-image build-node-24-python-3-12-image build-node-24-python-3-13-image build-node-24-python-3-14-image \
 	build-eps-storage-terraform-image build-eps-data-extract-image build-fhir-facade-image build-node-24-python-3-14-golang-1-24-image build-node-24-python-3-14-java-24-image \
 	build-regression-tests-image build-all build-image build-githubactions-image scan-image scan-image-json shell-image lint test lint-githubactions lint-githubaction-scripts clean \
-	build-syft build-grype build-grant build-tflint
+	build-syft build-grype build-grant build-tflint build-tools build-zizmor
 install: install-python install-node install-hooks
 
 install-python:
@@ -91,12 +91,25 @@ build-tflint:
 	else \
 		docker buildx build \
 			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
-			-f src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint \
+			-f src/base/.devcontainer/Dockerfile.tflint \
 			--tag local_tflint:latest \
-			src/projects/eps-storage-terraform/.devcontainer/; \
+			src/base/.devcontainer/; \
 	fi
 
-build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
+build-zizmor:
+	@if docker image inspect local_zizmor:latest >/dev/null 2>&1; then \
+		echo "Image local_zizmor:latest already exists. Skipping build."; \
+	else \
+		docker buildx build \
+			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
+			-f src/base/.devcontainer/Dockerfile.zizmor \
+			--tag local_zizmor:latest \
+			src/base/.devcontainer/; \
+	fi
+
+build-tools: build-syft build-grype build-grant build-tflint build-zizmor
+
+build-image: build-tools guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG
 	workspace_folder="$${CONTAINER_NAME}"; \
 	case "$${CONTAINER_NAME}" in \
 		eps_*) workspace_folder="$$(printf '%s' "$${CONTAINER_NAME}" | tr '_' '-')" ;; \

src/base/.devcontainer/Dockerfile

@@ -1,20 +1,31 @@
 FROM local_syft:latest AS syft-build
 FROM local_grype:latest AS grype-build
 FROM local_grant:latest AS grant-build
+FROM local_zizmor:latest AS zizmor-build
 FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
 
 ARG SCRIPTS_DIR=/usr/local/share/eps
 ARG CONTAINER_NAME
 ARG IMAGE_TAG
 ARG TARGETARCH
+ARG SAM_VERSION="v1.158.0"
+ARG ASDF_VERSION="v0.18.1"
+ARG GITLEAKS_VERSION="8.30.1"
+ARG CFN_GUARD_VERSION="3.2.0"
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
 ENV TARGETARCH=${TARGETARCH}
-
-COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
+ENV SAM_VERSION=${SAM_VERSION}
+ENV ASDF_VERSION=${ASDF_VERSION}
+ENV GITLEAKS_VERSION=${GITLEAKS_VERSION}
+ENV CFN_GUARD_VERSION=${CFN_GUARD_VERSION}
 COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
+COPY --chmod=755 scripts/install_aws_sam_cli.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.sh
+COPY --chmod=755 scripts/install_asdf.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh
+COPY --chmod=755 scripts/install_gitleaks.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_gitleaks.sh
+COPY --chmod=755 scripts/install_cfn_guard.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_cfn_guard.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
@@ -23,10 +34,9 @@ RUN ./root_install.sh
 COPY --from=syft-build /syft /usr/local/bin/syft
 COPY --from=grype-build /grype /usr/local/bin/grype
 COPY --from=grant-build /grant /usr/local/bin/grant
-
+COPY --from=zizmor-build /zizmor /usr/local/bin/zizmor
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
-COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf
 COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions
 COPY --chown=vscode:vscode .grant.yaml /home/vscode/.grant.yaml
 

src/base/.devcontainer/Dockerfile.tflint

@@ -0,0 +1,24 @@
+FROM serversideup/github-cli:2.89.0 AS build
+ARG TARGETARCH
+ARG TFLINT_VERSION="v0.61.0"
+COPY --chmod=755 scripts/install_github_release.sh /tmp/install_github_release.sh
+RUN --mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
+    case "${TARGETARCH}" in \
+        x86_64|amd64) DOWNLOAD_BINARY=tflint_linux_amd64.zip ;; \
+        aarch64|arm64) DOWNLOAD_BINARY=tflint_linux_arm64.zip ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/tflint/ \
+    ARCH="${TARGETARCH}" \
+    VERSION="${TFLINT_VERSION}" \
+    GITHUB_REPO="terraform-linters/tflint" \
+    TOOL="tflint" \
+    DOWNLOAD_BINARY="${DOWNLOAD_BINARY}" \
+    VERIFY_BINARY_ATTESTATION="false" \
+    VERIFY_CHECKSUM="true" \
+    COMPRESSION="zip" \
+    /tmp/install_github_release.sh
+
+FROM scratch
+COPY --from=build /tmp/tflint/tflint /tflint
+ENTRYPOINT ["/tflint"]

src/base/.devcontainer/Dockerfile.zizmor

@@ -0,0 +1,24 @@
+FROM serversideup/github-cli:2.89.0 AS build
+ARG TARGETARCH
+ARG ZIZMOR_VERSION="v1.24.1"
+COPY --chmod=755 scripts/install_github_release.sh /tmp/install_github_release.sh
+RUN --mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
+    case "${TARGETARCH}" in \
+        x86_64|amd64) DOWNLOAD_BINARY=zizmor-x86_64-unknown-linux-gnu.tar.gz ;; \
+        aarch64|arm64) DOWNLOAD_BINARY=zizmor-aarch64-unknown-linux-gnu.tar.gz  ;; \
+        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && INSTALL_DIR=/tmp/zizmor/ \
+    ARCH="${TARGETARCH}" \
+    VERSION="${ZIZMOR_VERSION}" \
+    GITHUB_REPO="zizmorcore/zizmor" \
+    TOOL="zizmor" \
+    DOWNLOAD_BINARY="${DOWNLOAD_BINARY}" \
+    VERIFY_BINARY_ATTESTATION="true" \
+    VERIFY_CHECKSUM="false" \
+    COMPRESSION="tar.gz" \
+    /tmp/install_github_release.sh
+
+FROM scratch
+COPY --from=build /tmp/zizmor/zizmor /zizmor
+ENTRYPOINT ["/zizmor"]

src/base/.devcontainer/Mk/check.mk

@@ -84,7 +84,11 @@ actionlint:
 	actionlint
 
 secret-scan:
-	git-secrets --scan-history .
+	@if [ -f .gitallowed ]; then \
+		git-secrets --scan-history .; \
+	else \
+		gitleaks -v git; \
+	fi
 
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \

src/base/.devcontainer/devcontainer.json

@@ -21,7 +21,9 @@
         "moby": "true",
         "installDockerBuildx": "true"
       },
+      // fine to use github-cli feature here as it verifies the installation
       "ghcr.io/devcontainers/features/github-cli:1": {},
+      // fine to use aws-cli feature here as it verifies the installation
        "ghcr.io/devcontainers/features/aws-cli:1": {
           "version": "latest"
        }

src/base/.devcontainer/scripts/install_asdf.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION=${VERSION:-"v0.18.1"}
+# Expected SHA256 checksums taken from https://github.com/asdf-vm/asdf/releases/tag/v0.18.1
+# When we change asdf versions, these must be changed
+sha256sum_expected_arm="sha256:1850faf576cab7acb321e99dd98d3fe0d4665e1331086ad9ed991aeec1dc9d36"
+sha256sum_expected_amd64="sha256:56141dc99eab75c140dcdd85cf73f3b82fed2485a8dccd4f11a4dc5cbcb6ea5c"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+check_packages curl ca-certificates tar
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    download_file="${tmp_dir}/asdf.tar.gz"
+
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
+        download_url="https://github.com/asdf-vm/asdf/releases/download/${VERSION}/asdf-${VERSION}-linux-arm64.tar.gz"
+        sha256sum_expected="${sha256sum_expected_arm}"
+    else
+        download_url="https://github.com/asdf-vm/asdf/releases/download/${VERSION}/asdf-${VERSION}-linux-amd64.tar.gz"
+        sha256sum_expected="${sha256sum_expected_amd64}"
+    fi
+    curl -fsSL "${download_url}" -o "${download_file}"
+
+    download_file_sha256sum=$(sha256sum "${download_file}" | awk '{print $1}')
+    if [ "${download_file_sha256sum}" != "${sha256sum_expected#sha256:}" ]; then
+        echo "SHA256 checksum mismatch for downloaded asdf archive"
+        echo "Expected: ${sha256sum_expected}"
+        echo "Actual:   sha256:${download_file_sha256sum}"
+        exit 1
+    fi
+
+    tar -xzf "${download_file}" -C "${tmp_dir}"
+    mkdir -p /usr/bin
+    mv "${tmp_dir}/asdf" /usr/bin/asdf
+    chmod +x /usr/bin/asdf
+}
+echo "(*) Installing asdf..."
+
+install
+
+echo "Done!"