New: [AEA-6316] - Adds EPS Storage Terraform Project Image

.gitignore

@@ -3,3 +3,4 @@ node_modules/
 src/base/.devcontainer/language_versions/
 .trivyignore_combined.yaml
 .out/
+.envrc

README.md

@@ -62,9 +62,9 @@ USER root
 # specify DOCKER_GID to force container docker group id to match host
 RUN if [ -n "${DOCKER_GID}" ]; then \
     if ! getent group docker; then \
-    groupadd -g ${DOCKER_GID} docker; \
+    groupadd -g "${DOCKER_GID}" docker; \
     else \
-    groupmod -g ${DOCKER_GID} docker; \
+    groupmod -g "${DOCKER_GID}" docker; \
     fi && \
     usermod -aG docker vscode; \
     fi
@@ -108,40 +108,26 @@ IMAGE_NAME and IMAGE_VERSION should be changed as appropriate.
 You should not need to add any features as these are already baked into the image
 
 ## Getting image name and version in GitHub Actions
-This job should be used in GitHub Actions wherever you need to get the dev container name or tag
+This shared workflow should be used in GitHub Actions wherever you need to get the dev container name or tag.
+
+verify_published_from_main_image should be set to false for testing pull request images.
 
 ```
   get_config_values:
-    runs-on: ubuntu-22.04
-    outputs:
-      devcontainer_image_name: ${{ steps.load-config.outputs.DEVCONTAINER_IMAGE_NAME }}
-      devcontainer_image_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      - name: Load config value
-        id: load-config
-        run: |
-          DEVCONTAINER_IMAGE_NAME=$(jq -r '.build.args.IMAGE_NAME' .devcontainer/devcontainer.json)
-          DEVCONTAINER_IMAGE_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
-          echo "DEVCONTAINER_IMAGE_NAME=$DEVCONTAINER_IMAGE_NAME" >> "$GITHUB_OUTPUT"
-          echo "DEVCONTAINER_IMAGE_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT"
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    with:
+      verify_published_from_main_image: false
 ```
 ## Using images in GitHub Actions
 To use the image in GitHub Actions, you should first verify the attestation of the image and reference the image by the digest
 For CI and release pipelines, you should set verify_published_from_main_image to ensure that only images published from main are used.   
 ```
 jobs:
-  verify_attestation:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/verify-attestation.yml@<latest published version>
-    with:
-      runtime_docker_image: "${{ inputs.runtime_docker_image }}"
-      verify_published_from_main_image: false
   my_job_name:
     runs-on: ubuntu-22.04
-    needs: verify_attestation
+    needs: get_config_values
     container:
-      image: ${{ needs.verify_attestation.outputs.pinned_image }}
+      image: ${{ needs.get_config_values.outputs.pinned_image }}
       options: --user 1001:1001 --group-add 128
     defaults:
       run:
@@ -153,7 +139,6 @@ jobs:
       ... other steps ....
 ```
 It is important that:
-- the image specified uses the tag starting githubactions-
 - there is `options: --user 1001:1001 --group-add 128` below image to ensure it uses the correct user id and is added to the docker group
 - the default shell is set to be bash
 - the first step copies .tool-versions from /home/vscode to $HOME/.tool-versions

src/common/.trivyignore.yaml

@@ -2,28 +2,44 @@ vulnerabilities:
   - id: CVE-2024-35870
     statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()"
     purls:
-      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2024-53179
     statement: "kernel: smb: client: fix use-after-free of signing key"
     purls:
-      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2025-37849
     statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation"
     purls:
-      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2025-37899
     statement: "kernel: ksmbd: fix use-after-free in session logoff"
     purls:
-      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2025-38118
     statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation"
     purls:
-      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
+  - id: CVE-2026-23111
+    statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-26
+  - id: CVE-2025-61594
+    statement: "uri: URI module: Credential exposure via URI + operator"
+    purls:
+      - "pkg:gem/uri@0.13.0"
+    expired_at: 2026-08-26
   - id: CVE-2026-26007
     statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves"
     purls:

src/projects/eps-storage-terraform/.devcontainer/.tool-versions

@@ -0,0 +1 @@
+terraform 1.14.2

src/projects/eps-storage-terraform/.devcontainer/Dockerfile

@@ -0,0 +1,39 @@
+ARG BASE_VERSION_TAG=latest
+ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION_TAG}
+
+FROM ${BASE_IMAGE}
+
+ARG SCRIPTS_DIR=/usr/local/share/eps
+ARG CONTAINER_NAME
+ARG MULTI_ARCH_TAG
+ARG BASE_VERSION_TAG
+ARG IMAGE_TAG
+ARG TARGETARCH
+
+ENV SCRIPTS_DIR=${SCRIPTS_DIR}
+ENV CONTAINER_NAME=${CONTAINER_NAME}
+ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
+ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
+ENV IMAGE_TAG=${IMAGE_TAG}
+ENV TARGETARCH=${TARGETARCH}
+
+LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
+LABEL org.opencontainers.image.version=${IMAGE_TAG}
+LABEL org.opencontainers.image.base.name=${BASE_IMAGE}
+LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
+
+USER root
+COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+RUN ./root_install.sh
+
+USER vscode
+
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+COPY .tool-versions /tmp/.tool-versions
+RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions
+
+RUN ./vscode_install.sh
+
+# Switch back to root to install the devcontainer CLI globally
+USER root

src/projects/eps-storage-terraform/.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+    "name": "EPS Devcontainer node_24 python_3.13",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "build": {
+      "dockerfile": "Dockerfile",
+      "args": {
+        "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}",
+        "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}",
+        "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}",
+        "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
+      },
+      "context": "."
+    },
+    "features": {}
+  }
+

src/projects/eps-storage-terraform/.devcontainer/scripts/root_install.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -e
+
+# clean up
+apt-get clean
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

src/projects/eps-storage-terraform/.devcontainer/scripts/vscode_install.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+# install terraform using asdf
+asdf plugin add terraform
+asdf install

src/projects/eps-storage-terraform/.trivyignore.yaml

@@ -0,0 +1,107 @@
+vulnerabilities:
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-12
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-12
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-12
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-12
+  - id: CVE-2026-25547
+    statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"
+    purls:
+      - "pkg:npm/%40isaacs/brace-expansion@5.0.0"
+    expired_at: 2026-08-12
+  - id: CVE-2025-64756
+    statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames"
+    purls:
+      - "pkg:npm/glob@10.4.5"
+      - "pkg:npm/glob@11.0.3"
+    expired_at: 2026-08-12
+  - id: CVE-2026-23745
+    statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12
+  - id: CVE-2026-23950
+    statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12
+  - id: CVE-2026-24842
+    statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check"
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-08-12
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-13
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-13
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-13
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-13
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25235
+    statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-25236
+    statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26485
+    statement: "Mozilla: Use-after-free in XSLT parameter processing"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16
+  - id: CVE-2022-26486
+    statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
+    purls:
+      - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-08-16

src/projects/eps-storage-terraform/trivy.yaml

@@ -0,0 +1 @@
+ignorefile: "src/projects/eps-storage-terraform/.trivyignore_combined.yaml"

src/projects/fhir_facade_api/.trivyignore.yaml

@@ -3,21 +3,29 @@ vulnerabilities:
     statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution"
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-25236
     statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution"
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-26485
     statement: "Mozilla: Use-after-free in XSLT parameter processing"
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2022-26486
     statement: "Mozilla: Use-after-free in WebGPU IPC Framework"
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=arm64&distro=ubuntu-22.04"
+      - "pkg:deb/ubuntu/firefox@148.0%2Bbuild1-0ubuntu0.22.04.1~mt2?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-12
   - id: CVE-2026-25547
     statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion"