Initial commit

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,22 @@
+{
+ "features": {
+ "ghcr.io/devcontainers/features/docker-in-docker:2": {
+ "version": "2.10.2",
+ "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c",
+ "integrity": "sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c"
+ },
+ "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {
+ "version": "0.0.2",
+ "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test@sha256:a0d81a6b8be5deae2fc41edf007a8f0efe794b4ebf0880265643b4a06edf16c6",
+ "integrity": "sha256:a0d81a6b8be5deae2fc41edf007a8f0efe794b4ebf0880265643b4a06edf16c6",
+ "dependsOn": [
+ "ghcr.io/devcontainers/features/docker-in-docker:2"
+ ]
+ },
+ "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:0": {
+ "version": "0.0.3",
+ "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis@sha256:81efa45affc66c168d273817f6f86a64f90715e9482eb7f6e3b33af006a2236c",
+ "integrity": "sha256:81efa45affc66c168d273817f6f86a64f90715e9482eb7f6e3b33af006a2236c"
+ }
+ }
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+ "name": "analytical-platform-image-build-template",
+ "image": "ghcr.io/ministryofjustice/devcontainer-base:latest",
+ "features": {
+ "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+ "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {},
+ "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:0": {}
+ },
+ "customizations": {
+ "vscode": {
+ "extensions": [
+ "EditorConfig.EditorConfig",
+ "GitHub.vscode-github-actions",
+ "GitHub.vscode-pull-request-github"
+ ]
+ }
+ }
+}

.editorconfig

@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# This file is autogenerated
+[.devcontainer/devcontainer-lock.json]
+end_of_line = unset
+insert_final_newline = unset
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+indent_style = space
+indent_size = 2
+
+[*.yml]
+indent_style = space
+indent_size = 2

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @ministryofjustice/analytical-platform

.github/dependabot.yml

@@ -0,0 +1,16 @@
+---
+version: 2
+
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "daily"
+ - package-ecosystem: "devcontainers"
+ directory: "/"
+ schedule:
+ interval: "daily"
+ - package-ecosystem: "docker"
+ directory: "/"
+ schedule:
+ interval: "daily"

.github/workflows/build-and-test.yml

@@ -0,0 +1,30 @@
+---
+name: Build and Test
+
+on:
+ pull_request:
+ branches:
+ - main
+
+permissions: {}
+
+jobs:
+ build-and-test:
+ name: Build and Test
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ steps:
+ - name: Checkout
+ id: checkout
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+ - name: Set Up Container Structure Test
+ id: setup_container_structure_test
+ uses: ministryofjustice/github-actions/setup-container-structure-test@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
+
+ - name: Build and Test
+ id: build_and_test
+ shell: bash
+ run: |
+ make test

.github/workflows/dependency-review.yml

@@ -0,0 +1,28 @@
+---
+name: Dependency Review
+
+on:
+ pull_request:
+ types:
+ - edited
+ - opened
+ - reopened
+ - synchronize
+
+permissions: {}
+
+jobs:
+ dependency-review:
+ name: Dependency Review
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ steps:
+ - name: Checkout
+ id: checkout
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+ - name: Dependency Review
+ uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+ with:
+ fail-on-severity: critical

.github/workflows/release.yml

@@ -0,0 +1,55 @@
+---
+name: Release
+
+on:
+ push:
+ tags:
+ - "*"
+
+permissions: {}
+
+jobs:
+ release:
+ name: Release
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ id-token: write
+ packages: write
+ steps:
+ - name: Checkout
+ id: checkout
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+ - name: Install cosign
+ id: install_cosign
+ uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+ - name: Log in to GitHub Container Registry
+ id: login_ghcr
+ uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Build and Push
+ id: build_and_push
+ uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+ with:
+ push: true
+ tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+
+ - name: Sign
+ id: sign
+ shell: bash
+ run: |
+ cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}
+
+ - name: Verify
+ id: verify
+ run: |
+ cosign verify \
+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+ --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+ ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}

.github/workflows/scan-image.yml

@@ -0,0 +1,57 @@
+---
+name: Scan Image
+
+on:
+ pull_request:
+ branches:
+ - main
+
+permissions: {}
+
+jobs:
+ scan-image:
+ name: Scan Image
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout
+ id: checkout
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+ - name: Build Image
+ id: build_image
+ uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+ with:
+ push: false
+ load: true
+ tags: analytical-platform-image-build-template
+
+ - name: Scan Image
+ id: scan_image
+ uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
+ with:
+ image-ref: analytical-platform-image-build-template
+ exit-code: 1
+ format: sarif
+ output: trivy-results.sarif
+ severity: CRITICAL
+ limit-severities-for-sarif: true
+
+ - name: Upload SARIF
+ if: always()
+ id: upload_sarif
+ uses: github/codeql-action/upload-sarif@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0
+ with:
+ sarif_file: trivy-results.sarif
+
+ - name: Scan Image (On SARIF Scan Failure)
+ if: failure() && steps.scan_image.outcome == 'failure'
+ id: scan_image_on_failure
+ uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
+ with:
+ image-ref: analytical-platform-image-build-template
+ exit-code: 1
+ format: table
+ severity: CRITICAL

.github/workflows/super-linter.yml

@@ -0,0 +1,35 @@
+---
+name: Super-Linter
+
+on:
+ pull_request:
+ branches:
+ - main
+ types:
+ - edited
+ - opened
+ - reopened
+ - synchronize
+
+permissions: {}
+
+jobs:
+ super-linter:
+ name: Super-Linter
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ statuses: write
+ steps:
+ - name: Checkout
+ id: checkout
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+ with:
+ fetch-depth: 0
+
+ - name: Run Super-Linter
+ id: super_linter
+ uses: super-linter/super-linter/slim@92e2606383320f72e6129f8a50d8537cf9c84ed6 # v6.3.1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+

.gitignore

@@ -0,0 +1,10 @@
+.env
+.terraform/
+coverage/
+venv/
+env/
+.DS_STORE
+.vscode
+*.code-workspace
+*.sha256
+terraform.tfstate

Dockerfile

@@ -0,0 +1,49 @@
+# checkov:skip=CKV_DOCKER_2:Healthcheck instructions have not been added to container images
+# This image is an example base image for this template and can be replaced to fit user needs
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:12fb86d81bc4504d8261a91c83c54b9e5dcdf1d833ba0fe42ec9e0ee09a2b0ba
+
+LABEL org.opencontainers.image.vendor="Ministry of Justice" \
+ org.opencontainers.image.authors="Analytical Platform ([email protected])"\
+ org.opencontainers.image.title="{image title}" \
+ org.opencontainers.image.description="{decription}" \
+ org.opencontainers.image.url="{your repo url}"
+
+ENV CONTAINER_USER="analyticalplatform" \
+ CONTAINER_UID="1000" \
+ CONTAINER_GROUP="analyticalplatform" \
+ CONTAINER_GID="1000" \
+ DEBIAN_FRONTEND="noninteractive"
+
+SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
+
+# User
+RUN <<EOF
+groupadd \
+ --gid ${CONTAINER_GID} \
+ ${CONTAINER_GROUP}
+
+useradd \
+ --uid ${CONTAINER_UID} \
+ --gid ${CONTAINER_GROUP} \
+ --create-home \
+ --shell /bin/bash \
+ ${CONTAINER_USER}
+EOF
+
+# Base
+RUN <<EOF
+apt-get update --yes
+
+apt-get install --yes \
+ "apt-transport-https=2.4.12" \
+ "curl=7.81.0-1ubuntu1.16"
+
+apt-get clean --yes
+
+rm --force --recursive /var/lib/apt/lists/*
+EOF
+
+USER ${CONTAINER_USER}
+
+WORKDIR /home/${CONTAINER_USER}
+

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Crown Copyright (Ministry of Justice)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,18 @@
+IMAGE_NAME = ghcr.io/ministryofjustice/analytical-platform-image-build-template:latest
+
+test: build
+ container-structure-test test --config test/container-structure-test.yml --image $(IMAGE_NAME)
+
+scan: build
+ trivy image --vuln-type os,library --severity CRITICAL --exit-code 1 $(IMAGE_NAME)
+
+build:
+ @ARCH=`uname -m`; \
+ case $$ARCH in \
+ aarch64 | arm64) \
+ echo "Building on $$ARCH architecture"; \
+ docker build --platform linux/amd64 --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+ *) \
+ echo "Building on $$ARCH architecture"; \
+ docker build --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+ esac