Hof 405

[DivineTaminangHO]

• Anchore replaced with trivy scan in the Drone.yaml
• The node image updated from node:14 to node:18
• The cve-exception file updated

[adityababumallisettiHO]

Scan-image step has to run after the Image has been pushed to the Quay.io repo

[adityababumallisettiHO]

Trivy Scan step should run after Docker push to Quay.
Also Image name has to be set to quay.io/ukhomeofficedigital/html-pdf-converter:$${DRONE_TAG}
Please follow ETA .drone.yml
We need these added
SEVERITY: MEDIUM,HIGH,CRITICAL
FAIL_ON_DETECTION: false
IGNORE_UNFIXED: true
and
ALLOW_CVE_LIST_FILE: trivy-cve-exceptions.txt
Also please check the conditions of Drone that executes the drone pipeline.

[DivineTaminangHO]

What?: I have replaced anchore with Trivy scan
why?: This is because the ACP team has now decided to use Trivy instead of Anchore scans. Anchore has not been supported since January 2023 and as result runs the risk of not detecting vulnerabilities effectively.
Anchore is an open source scanner which scans the following: OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses
https://docs.acp.homeoffice.gov.uk/how-to/security/trivy/#trivy-overview
How?:
Trivy has been added to drone.yaml pipeline which will scan against any vulnerability to primarily detect CVEs present in OS and Language packages. In addition it will try to detect any secrets like private rsa keys within the container image layers.

[adityababumallisettiHO]

Please correct the indentations.

[adityababumallisettiHO]

Please Remove "Steps"

[adityababumallisettiHO]

here is our ways of working page
https://collaboration.homeoffice.gov.uk/display/DSASS/HOF-+The+Way+We+Work
Please update Git commits and PRs to HOF standards.
we are following the Chris beams git commit method and Gonzalo Banuelos PR method
This the link you can find in the documnetation that helps you : https://cbea.ms/git-commit/#separate