ministryofjustice · jamesrwarren · Feb 4, 2025 · Jan 21, 2025 · Jan 22, 2025 · Jan 30, 2025
@@ -41,3 +41,20 @@ jobs:
         id: package-checks-api
         run: python audit-composer-packages.py api.json
         working-directory: scripts/package-audit
+
+      - name: run linting on all our Dockerfiles
+        id: hadolint
+        run: |
+          find . -type f -name "*Dockerfile*" -exec sh -c 'for file; \
+          do echo "Processing $file"; \
+          docker run --rm -i -v ./hadolint.yaml:/.config/hadolint.yaml \
+          hadolint/hadolint < "$file"; \
+          done' sh {} +
+
+          if [ $? -ne 0 ]; then
+              echo "==== Dockerfile Linting Failure. Errors found ===="
+              exit 1
+          else
+              echo "==== Dockerfile Linting Success. No errors ===="
+              exit 0
+          fi
@@ -117,9 +117,9 @@ jobs:
       - api_unit_tests_2
       - api_unit_tests_3
 
-  miscellaneous_unit_tests:
-    name: miscellaneous unit tests
-    uses: ./.github/workflows/_unit-tests-miscellaneous.yml
+  miscellaneous_tests:
+    name: miscellaneous tests
+    uses: ./.github/workflows/_tests-miscellaneous.yml
     needs:
       - workflow_variables
 
@@ -144,7 +144,7 @@ jobs:
       - workflow_variables
       - terraform_apply_account_development
       - docker_build_scan_push
-      - miscellaneous_unit_tests
+      - miscellaneous_tests
       - client_unit_tests
       - api_unit_tests_1
       - api_unit_tests_2

@@ -139,24 +139,24 @@ jobs:
       - workflow_variables
       - build_web_resources
 
+  miscellaneous_tests:
+    name: miscellaneous tests
+    uses: ./.github/workflows/_tests-miscellaneous.yml
+    needs:
+      - workflow_variables
+
   codecov:
     name: upload to codecov
     uses: ./.github/workflows/_codecov.yml
     secrets:
       codecov_token: ${{ secrets.CODECOV_TOKEN }}
     needs:
       - client_unit_tests
-      - miscellaneous_unit_tests
+      - miscellaneous_tests
       - api_unit_tests_1
       - api_unit_tests_2
       - api_unit_tests_3
 
-  miscellaneous_unit_tests:
-    name: miscellaneous unit tests
-    uses: ./.github/workflows/_unit-tests-miscellaneous.yml
-    needs:
-      - workflow_variables
-
   terraform_plan_account_development:
     name: account plan terraform development
     uses: ./.github/workflows/_run-terraform.yml

@@ -23,6 +23,6 @@ RUN npm -g config set user root
 
 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = false
 
-RUN npm install -g pa11y-ci
+RUN npm install -g pa11y-ci@3.1.0
 
 COPY .pa11yci .
@@ -95,20 +95,20 @@ RUN mkdir certs && chmod 755 certs && wget -O certs/eu-west-1-bundle.pem https:/
 
 FROM application AS ci-tests
 # We use this setup for certain commands as part of the CI processing of unit tests
-CMD confd -onetime -backend env \
+CMD ["sh", "-c", "confd -onetime -backend env \
     && waitforit -address=tcp://$DATABASE_HOSTNAME:$DATABASE_PORT -timeout=$TIMEOUT \
     && php app/console doctrine:migrations:migrate --allow-no-migration --no-interaction \
     && php app/console doctrine:migrations:up-to-date \
-    && php-fpm
+    && php-fpm"]
 
 FROM application AS production
 COPY scripts/hardening/harden.sh /harden.sh
 RUN /harden.sh www-data && rm /harden.sh
 
 USER www-data
 
-CMD confd -onetime -backend env \
+CMD ["sh", "-c", "confd -onetime -backend env \
     && waitforit -address=tcp://$DATABASE_HOSTNAME:$DATABASE_PORT -timeout=$TIMEOUT \
     && php app/console doctrine:migrations:migrate --allow-no-migration --no-interaction \
     && php app/console doctrine:migrations:up-to-date \
-    && php-fpm
+    && php-fpm"]
@@ -1,28 +1,39 @@
 FROM nginxinc/nginx-unprivileged:stable-alpine
+
 USER root
 
-RUN apk update && apk upgrade
+WORKDIR /www/data
+
+# Install dependencies
+RUN apk --no-cache upgrade
+RUN apk --no-cache add wget libcap
 
 # Add Confd to configure nginx on start
 ENV CONFD_VERSION="0.16.0"
-RUN wget -q -O /usr/local/bin/confd "https://github.com/kelseyhightower/confd/releases/download/v${CONFD_VERSION}/confd-${CONFD_VERSION}-linux-amd64" \
-  && chmod +x /usr/local/bin/confd
+ADD https://github.com/kelseyhightower/confd/releases/download/v${CONFD_VERSION}/confd-${CONFD_VERSION}-linux-amd64 /usr/local/bin/confd
+RUN chmod +x /usr/local/bin/confd
 
 # Add Waitforit to wait on app starting
 ENV WAITFORIT_VERSION="v2.4.1"
-RUN wget -q -O /usr/local/bin/waitforit https://github.com/maxclaus/waitforit/releases/download/$WAITFORIT_VERSION/waitforit-linux_amd64 \
-  && chmod +x /usr/local/bin/waitforit
+ADD https://github.com/maxclaus/waitforit/releases/download/${WAITFORIT_VERSION}/waitforit-linux_amd64 /usr/local/bin/waitforit
+RUN chmod +x /usr/local/bin/waitforit
+
+COPY --chown=nginx client/docker/web/confd /etc/confd
+COPY --chown=nginx client/resources/public/ /www/data/public/
 
-COPY --chown=nginx api/docker/web/confd /etc/confd
+# Enable nginx to listen on privileged ports
+RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx && apk del libcap
 
-RUN apk --no-cache add libcap && \
-    setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx && \
-    apk del libcap
+# Copy and secure health-check script
+RUN mkdir /opt/scripts
+COPY client/docker/web/health-check.sh /opt/scripts/health-check.sh
+RUN chown nginx:nginx /opt/scripts/health-check.sh && chmod 550 /opt/scripts/health-check.sh
 
-COPY scripts/hardening/harden-nginx.sh /harden-nginx.sh
-RUN /harden-nginx.sh && rm /harden-nginx.sh
+# Harden nginx security
+COPY scripts/hardening/harden-nginx.sh /opt/scripts/harden-nginx.sh
+RUN /opt/scripts/harden-nginx.sh && rm /opt/scripts/harden-nginx.sh
 
 USER nginx
 
-CMD confd -onetime -backend env \
-  && nginx -g "daemon off;"
+# Start services
+CMD ["sh", "-c", "confd -onetime -backend env && nginx -g 'daemon off;'"]
@@ -2,7 +2,7 @@ server {
     listen     80 default_server;
     server_name   _;
     server_tokens off;
-    root /public;
+    root /www/data/public;
 
     ## Headers
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
@@ -18,7 +18,7 @@ server {
     client_body_timeout 240s;
 
     location / {
-        root    /public;
+        root    /www/data/public;
 
         # cache static assets for 90 days
         location ~* \.(css|jpg|js|png|ico|jpeg|woff2|woff)$ {

@@ -98,14 +98,14 @@ RUN su-exec www-data php -d memory_limit=-1 app/console cache:warmup
 
 FROM application as ci-tests
 # We use this setup for certain commands as part of the CI processing of unit tests
-CMD confd -onetime -backend env \
-    && php-fpm
+CMD ["sh", "-c", "confd -onetime -backend env \
+    && php-fpm"]
 
 FROM application as production
 COPY scripts/hardening/harden.sh /harden.sh
 RUN /harden.sh www-data && rm /harden.sh
 
 USER www-data
 
-CMD confd -onetime -backend env \
-    && php-fpm
+CMD ["sh", "-c", "confd -onetime -backend env \
+    && php-fpm"]
@@ -1,2 +1,3 @@
+# hadolint ignore=DL3007
 FROM client-webserver:latest
 COPY client/docker/app/extra/robots.txt /public/robots.txt
@@ -13,6 +13,7 @@ RUN npm audit --production
 RUN NODE_ENV=production npm run build
 
 FROM node-base as testing
+# hadolint ignore=DL3016
 RUN npm install -g jest jest-environment-jsdom
 RUN npm run build
 

@@ -1,33 +1,39 @@
 FROM nginxinc/nginx-unprivileged:stable-alpine
+
 USER root
 
-RUN apk upgrade && \
-  apk update curl
+WORKDIR /www/data
+
+# Install dependencies
+RUN apk --no-cache upgrade
+RUN apk --no-cache add wget libcap
 
 # Add Confd to configure nginx on start
 ENV CONFD_VERSION="0.16.0"
-RUN wget -q -O /usr/local/bin/confd "https://github.com/kelseyhightower/confd/releases/download/v${CONFD_VERSION}/confd-${CONFD_VERSION}-linux-amd64" \
-  && chmod +x /usr/local/bin/confd
+ADD https://github.com/kelseyhightower/confd/releases/download/v${CONFD_VERSION}/confd-${CONFD_VERSION}-linux-amd64 /usr/local/bin/confd
+RUN chmod +x /usr/local/bin/confd
 
 # Add Waitforit to wait on app starting
 ENV WAITFORIT_VERSION="v2.4.1"
-RUN wget -q -O /usr/local/bin/waitforit https://github.com/maxclaus/waitforit/releases/download/$WAITFORIT_VERSION/waitforit-linux_amd64 \
-  && chmod +x /usr/local/bin/waitforit
+ADD https://github.com/maxclaus/waitforit/releases/download/${WAITFORIT_VERSION}/waitforit-linux_amd64 /usr/local/bin/waitforit
+RUN chmod +x /usr/local/bin/waitforit
 
 COPY --chown=nginx client/docker/web/confd /etc/confd
-COPY --chown=nginx client/resources/public/ public/
+COPY --chown=nginx client/resources/public/ /www/data/public/
 
-RUN apk --no-cache add libcap && \
-    setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx && \
-    apk del libcap
+# Enable nginx to listen on privileged ports
+RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx && apk del libcap
 
-COPY client/docker/web/health-check.sh /health-check.sh
-RUN chown nginx:nginx /health-check.sh && chmod 550 /health-check.sh
+# Copy and secure health-check script
+RUN mkdir /opt/scripts
+COPY client/docker/web/health-check.sh /opt/scripts/health-check.sh
+RUN chown nginx:nginx /opt/scripts/health-check.sh && chmod 550 /opt/scripts/health-check.sh
 
-COPY scripts/hardening/harden-nginx.sh /harden-nginx.sh
-RUN /harden-nginx.sh && rm /harden-nginx.sh
+# Harden nginx security
+COPY scripts/hardening/harden-nginx.sh /opt/scripts/harden-nginx.sh
+RUN /opt/scripts/harden-nginx.sh && rm /opt/scripts/harden-nginx.sh
 
 USER nginx
 
-CMD confd -onetime -backend env \
-  && nginx -g "daemon off;"
+# Start services
+CMD ["sh", "-c", "confd -onetime -backend env && nginx -g 'daemon off;'"]
@@ -2,7 +2,7 @@ server {
     listen     80 default_server;
     server_name   _;
     server_tokens off;
-    root /public;
+    root /www/data/public;
 
     ## Headers
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

@@ -2,9 +2,9 @@ FROM python:3.12-alpine3.20
 
 COPY requirements.txt /requirements.txt
 RUN apk update && apk upgrade
-RUN pip install --upgrade pip
-RUN pip install -r /requirements.txt
+RUN pip install --no-cache-dir --upgrade pip
+RUN pip install --no-cache-dir -r /requirements.txt
 RUN pip uninstall -y wheel setuptools
 COPY ./cross_account_backup.py /cross_account_backup.py
-RUN chmod 755 cross_account_backup.py
+RUN chmod 755 /cross_account_backup.py
 CMD ["python3", "cross_account_backup.py"]
@@ -1,7 +1,7 @@
 FROM python:3.12-alpine3.20
 
 COPY requirements.txt /requirements.txt
-RUN apk update && apk upgrade && pip install --upgrade pip \
+RUN apk update && apk upgrade && pip install --no-cache-dir --upgrade pip \
     \ pip install -r /requirements.txt
 COPY ./database_restore.py /database_restore.py
 RUN pip uninstall -y wheel setuptools

@@ -7,8 +7,8 @@ services:
 
   frontend-webserver:
     volumes:
-      - ./client/resources/public/assets:/public/assets
-      - ./client/resources/public/images:/public/images
+      - ./client/resources/public/assets:/www/data/public/assets
+      - ./client/resources/public/images:/www/data/public/images
 
   frontend-app:
     volumes:
@@ -27,8 +27,8 @@ services:
 
   admin-webserver:
     volumes:
-      - ./client/resources/public/assets:/public/assets
-      - ./client/resources/public/images:/public/images
+      - ./client/resources/public/assets:/www/data/public/assets
+      - ./client/resources/public/images:/www/data/public/images
 
   admin-app:
     volumes:

@@ -33,7 +33,7 @@ services:
       APP_HOST: frontend-app
       APP_PORT: 9000
     healthcheck:
-      test: /health-check.sh
+      test: /opt/scripts/health-check.sh
       interval: 30s
       timeout: 30s
       retries: 3
@@ -76,7 +76,7 @@ services:
       APP_HOST: admin-app
       APP_PORT: 9000
     healthcheck:
-      test: /health-check.sh
+      test: /opt/scripts/health-check.sh
       interval: 30s
       timeout: 30s
       retries: 3

@@ -1,11 +1,16 @@
+# Build Stage
 FROM golang:1.22.9-alpine3.20 AS build
+WORKDIR /go/src/clamav-rest
 
-# Build go package
-ADD file-scanner/. /go/src/clamav-rest/
-RUN cd /go/src/clamav-rest && go mod vendor && go build -v
+COPY file-scanner/. .
+RUN go mod vendor && go build -v -o file-scanner
 
+# Final Runtime Stage
 FROM alpine:3.20
 
+WORKDIR /app
+
+# Environment variables for ClamAV
 ENV MAX_SCAN_SIZE=100M
 ENV MAX_FILE_SIZE=25M
 ENV MAX_RECURSION=16
@@ -21,26 +26,31 @@ ENV PCRE_MATCHLIMIT=100000
 ENV PCRE_RECMATCHLIMIT=2000
 ENV SIGNATURE_CHECKS=2
 
-# Copy compiled clamav-rest binary from build container to production container
-COPY --from=build /go/src/clamav-rest/file-scanner /usr/bin/
-
 # Install ClamAV
 RUN apk update && apk --no-cache add clamav clamav-libunrar \
     && mkdir /run/clamav \
     && chown clamav:clamav /run/clamav \
     && apk upgrade
 
-# Configure clamAV to run in foreground with port 3310
+# Configure ClamAV to run in foreground with port 3310
 RUN sed -i 's/^#Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf \
     && sed -i 's/^#TCPSocket .*$/TCPSocket 3310/g' /etc/clamav/clamd.conf \
     && sed -i 's/^#Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf
 
+# Run initial ClamAV signature update
 RUN freshclam --quiet
 
-COPY file-scanner/entrypoint.sh /usr/bin/
-COPY scripts/hardening/harden.sh /harden.sh
-RUN /harden.sh clamav && rm /harden.sh
+COPY --from=build /go/src/clamav-rest/file-scanner /usr/bin/
+
+COPY file-scanner/entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Harden security
+COPY scripts/hardening/harden.sh /app/harden.sh
+RUN /app/harden.sh clamav && rm /app/harden.sh
 
 EXPOSE 8080
+
 USER clamav
-ENTRYPOINT [ "entrypoint.sh" ]
+
+ENTRYPOINT [ "/app/entrypoint.sh" ]