Update from the repository template (#8)

## Description

Bring the latest changes to this repository from the template.

## Type of changes

- [x] Refactoring (non-breaking change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would change existing
functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)

## Checklist

- [x] I am familiar with the [contributing
guidelines](../docs/CONTRIBUTING.md)
- [x] I have followed the code style of the project
- [ ] I have added tests to cover my changes
- [ ] I have updated the documentation accordingly
- [x] This PR is a result of pair or mob programming

---

## Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others
privacy, we kindly ask you to NOT including [PII (Personal Identifiable
Information) / PID (Personal Identifiable
Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public)
or any other sensitive data in this PR (Pull Request) and the codebase
changes. We will remove any PR that do contain any sensitive
information. We really appreciate your cooperation in this matter.

- [x] I confirm that neither PII/PID nor sensitive data are included in
this PR and the codebase changes.

.editorconfig

@@ -17,5 +17,5 @@ indent_size = 4
 [{Dockerfile,Dockerfile.}*]
 indent_size = 4
 
-[*{.mk,Makefile}]
+[{Makefile,*.mk,go.mod,go.sum,*.go,.gitmodules}]
 indent_style = tab

.github/workflows/check-file-format.yaml

@@ -12,4 +12,4 @@ jobs:
           fetch-depth: 0
       - run: |
           export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-          ./scripts/githooks/editorconfig-pre-commit.sh
+          ./scripts/githooks/check-file-format.sh

.github/workflows/check-markdown-format.yaml

@@ -12,4 +12,4 @@ jobs:
           fetch-depth: 0
       - run: |
           export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-          ./scripts/githooks/markdown-pre-commit.sh
+          ./scripts/githooks/check-markdown-format.sh

.github/workflows/check-terraform-format.yaml

@@ -10,4 +10,4 @@ jobs:
       - uses: actions/checkout@v3
       - run: |
           export CHECK_ONLY=true
-          ./scripts/githooks/terraform-pre-commit.sh
+          ./scripts/githooks/check-terraform-format.sh

.github/workflows/cicd-pipeline.yaml

@@ -15,16 +15,17 @@ jobs:
       build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
       build_epoch: ${{ steps.metadata.outputs.build_epoch }}
       nodejs_version: ${{ steps.metadata.outputs.nodejs_version }}
+      python_version: ${{ steps.metadata.outputs.python_version }}
       terraform_version: ${{ steps.metadata.outputs.terraform_version }}
     steps:
-      - uses: actions/checkout@v3
       - id: metadata
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
           echo "nodejs_version=$(grep nodejs .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep python .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep terraform .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
   scan-secrets:
     uses: ./.github/workflows/scan-secrets.yaml
@@ -36,6 +37,8 @@ jobs:
     uses: ./.github/workflows/check-terraform-format.yaml
   cloc-repository:
     uses: ./.github/workflows/cloc-repository.yaml
+  scan-dependencies:
+    uses: ./.github/workflows/scan-dependencies.yaml
   cicd-pipeline-test:
     runs-on: ubuntu-latest
     needs:
@@ -46,6 +49,7 @@ jobs:
         check-markdown-format,
         check-terraform-format,
         cloc-repository,
+        scan-dependencies,
       ]
     timeout-minutes: 10
     permissions:
@@ -66,6 +70,9 @@ jobs:
           export BUILD_DATETIME="${{ needs.get-metadata.outputs.build_datetime }}"
           export BUILD_TIMESTAMP="${{ needs.get-metadata.outputs.build_timestamp }}"
           export BUILD_EPOCH="${{ needs.get-metadata.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ needs.get-metadata.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ needs.get-metadata.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ needs.get-metadata.outputs.terraform_version }}"
           make list-variables
       - name: Test Terraform
         run: |
@@ -89,6 +96,9 @@ jobs:
           export BUILD_DATETIME="${{ needs.get-metadata.outputs.build_datetime }}"
           export BUILD_TIMESTAMP="${{ needs.get-metadata.outputs.build_timestamp }}"
           export BUILD_EPOCH="${{ needs.get-metadata.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ needs.get-metadata.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ needs.get-metadata.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ needs.get-metadata.outputs.terraform_version }}"
           make list-variables
       - name: Setup Node
         uses: actions/setup-node@v3

.github/workflows/scan-dependencies.yaml

@@ -0,0 +1,29 @@
+name: Scan Dependencies
+
+on:
+  workflow_call:
+
+jobs:
+  scan-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          ./scripts/sbom-generator.sh
+      - uses: actions/upload-artifact@v3
+        with:
+          name: sbom-spdx.json
+          path: ./sbom-spdx.json
+      - run: |
+          ./scripts/cve-scanner.sh
+      - uses: actions/upload-artifact@v3
+        with:
+          name: cve-scan.json
+          path: ./cve-scan.json
+      # - uses: aws-actions/configure-aws-credentials@v2
+      #   with:
+      #     role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ vars.AWS_ROLE_NAME }}
+      #     aws-region: ${{ vars.AWS_REGION }}
+      # - run: |
+      #     aws s3 cp ./sbom-spdx.json s3://?
+      #     aws s3 cp ./cve-scan.json s3://?

.github/workflows/scan-secrets.yaml

@@ -4,12 +4,12 @@ on:
   workflow_call:
 
 jobs:
-  secret-scan:
+  scan-secrets:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - run: |
           export ALL_FILES=true
-          ./scripts/githooks/secret-scan-pre-commit.sh
+          ./scripts/githooks/scan-secrets.sh

.tool-versions

@@ -1,2 +1,3 @@
 nodejs 20.3.0
 terraform 1.5.0
+pre-commit 3.3.3

Makefile

@@ -1,3 +1,5 @@
+include ./scripts/init.mk
+
 example-build: # Build example project
 	cd examples/react-app
 	yarn install
@@ -10,50 +12,10 @@ example-upload: # Upload example files - mandatory: AWS_S3_BUCKET_NAME=[AWS S3 b
 config: # Configure development environment
 	make githooks-install
 	make \
-		node-install \
+		nodejs-install \
 		terraform-install \
 	||:
 
-githooks-install: # Install git hooks configured in this repository
-	echo "./scripts/githooks/pre-commit" > .git/hooks/pre-commit
-	chmod +x .git/hooks/pre-commit
-
-terraform-install: # Install Terraform
-	asdf plugin add terraform ||:
-	asdf install terraform
-
-node-install: # Install Node.js
-	asdf plugin add nodejs ||:
-	asdf install nodejs
-
-# ==============================================================================
-
-help: # List Makefile targets
-	@awk 'BEGIN {FS = ":.*?# "} /^[ a-zA-Z0-9_-]+:.*? # / {printf "\033[36m%-41s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | sort
-
-list-variables: # List all the variables available to make
-	@$(foreach v, $(sort $(.VARIABLES)),
-		$(if $(filter-out default automatic, $(origin $v)),
-			$(if $(and $(patsubst %_PASSWORD,,$v), $(patsubst %_PASS,,$v), $(patsubst %_KEY,,$v), $(patsubst %_SECRET,,$v)),
-				$(info $v=$($v) ($(value $v)) [$(flavor $v),$(origin $v)]),
-				$(info $v=****** (******) [$(flavor $v),$(origin $v)])
-			)
-		)
-	)
-
-.DEFAULT_GOAL := help
-.EXPORT_ALL_VARIABLES:
-.NOTPARALLEL:
-.ONESHELL:
-.PHONY: *
-MAKEFLAGS := --no-print-director
-SHELL := /bin/bash
-ifeq (true, $(shell [[ "$(VERBOSE)" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$$ ]] && echo true))
-	.SHELLFLAGS := -cex
-else
-	.SHELLFLAGS := -ce
-endif
-
 .SILENT: \
 	config \
 	githooks-install

scripts/cloc-repository.sh

@@ -13,7 +13,8 @@ set -e
 
 # ==============================================================================
 
-image_version=latest
+# SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc, use the `linux/amd64` os/arch
+image_version=latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032
 
 # ==============================================================================
 

scripts/config/.gitleaks.toml

@@ -0,0 +1,19 @@
+# SEE: https://github.com/gitleaks/gitleaks/#configuration
+
+[extend]
+useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+
+[[rules]]
+description = "IPv4"
+id = "ipv4"
+regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'''
+
+[rules.allowlist]
+regexTarget = "match"
+regexes = [
+  # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS
+  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''',
+]
+
+[allowlist]
+files = ['.terraform.lock.hcl', 'poetry.lock', 'yarn.lock']

scripts/config/.grype.yaml

@@ -0,0 +1,19 @@
+# If using SBOM input, automatically generate CPEs when packages have none
+add-cpes-if-none: true
+
+# ignore:
+#   # This is the full set of supported rule fields:
+#   - vulnerability: CVE-2008-4318
+#     fix-state: unknown
+#     package:
+#       name: libcurl
+#       version: 1.5.1
+#       type: npm
+#       location: "/usr/local/lib/node_modules/**"
+
+#   # We can make rules to match just by vulnerability ID:
+#   - vulnerability: CVE-2014-54321
+
+#   # ...or just by a single package field:
+#   - package:
+#       type: gem

scripts/config/.pre-commit.yaml

@@ -0,0 +1,29 @@
+repos:
+- repo: local
+  hooks:
+  - id: scan-secrets
+    name: Scan Secrets
+    entry: ./scripts/githooks/scan-secrets.sh
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-file-format
+    name: Check File Format
+    entry: ./scripts/githooks/check-file-format.sh
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-markdown-format
+    name: Check Markdown Format
+    entry: ./scripts/githooks/check-markdown-format.sh
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-terraform-format
+    name: Check Terraform Format
+    entry: ./scripts/githooks/check-terraform-format.sh
+    language: script
+    pass_filenames: false

scripts/config/.syft.yaml

@@ -0,0 +1,83 @@
+# a list of globs to exclude from scanning. same as --exclude ; for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+exclude:
+  - ./.git/**
+
+# maximum number of workers used to process the list of package catalogers in parallel
+parallelism: 3
+
+# cataloging packages is exposed through the packages and power-user subcommands
+package:
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+  search-indexed-archives: true
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+  search-unindexed-archives: true
+  cataloger:
+    # enable/disable cataloging of packages
+    # SYFT_PACKAGE_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for packages (options: all-layers, squashed)
+    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file contents is exposed through the power-user subcommand
+file-contents:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # file globs for the cataloger to match on
+  # SYFT_FILE_CONTENTS_GLOBS env var
+  globs: []
+
+# cataloging file metadata is exposed through the power-user subcommand
+file-metadata:
+  cataloger:
+    # enable/disable cataloging of file metadata
+    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for file metadata (options: all-layers, squashed)
+    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
+  # SYFT_FILE_METADATA_DIGESTS env var
+  digests: ["sha256"]
+
+# cataloging secrets is exposed through the power-user subcommand
+secrets:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_SECRETS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_SECRETS_CATALOGER_SCOPE env var
+    scope: "all-layers"
+  # show extracted secret values in the final JSON report
+  # SYFT_SECRETS_REVEAL_VALUES env var
+  reveal-values: false
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
+  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
+  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
+  # "value" named capture group.
+  additional-patterns: {}
+  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
+  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
+  # "secrets.additional-patterns" config option.
+  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
+  exclude-pattern-names: []

scripts/cve-scanner.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+# Script to scan an SBOM file for CVEs (Common Vulnerabilities and Exposures).
+#
+# Usage:
+#   $ ./cve-scanner.sh
+#
+# Options:
+#   VERBOSE=true  # Show all the executed commands, default is `false`
+
+# ==============================================================================
+
+# SEE: https://github.com/anchore/grype/pkgs/container/grype, use the `linux/amd64` os/arch
+image_version=v0.63.1@sha256:124447c7abae54d6fdad2d3a18c9c71d88af46404c55437c3acbf6dde524c417
+
+# ==============================================================================
+
+function main() {
+
+  docker run --rm --platform linux/amd64 \
+    --volume $PWD:/scan \
+    ghcr.io/anchore/grype:$image_version \
+      sbom:/scan/sbom-spdx.json \
+      --config /scan/scripts/config/.grype.yaml \
+      --output json \
+      --file=/scan/cve-scan.json
+}
+
+function is_arg_true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is_arg_true "$VERBOSE" && set -x
+
+main $*
+
+exit 0