diff --git a/.tool-versions b/.tool-versions index ed072a5d..2411b75e 100644 --- a/.tool-versions +++ b/.tool-versions @@ -6,17 +6,10 @@ pre-commit 3.4.0 # ============================================================================== # The section below is reserved for Docker image versions. -# gitleaks, SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks -# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 - -# terraform, SEE: https://hub.docker.com/r/hashicorp/terraform/tags -# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 - -# shellcheck, SEE: https://hub.docker.com/r/koalaman/shellcheck/tags -# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c - -# hadolint, SEE: https://hub.docker.com/r/hadolint/hadolint/tags -# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 - -# ghcr.io/nhs-england-tools/github-runner-image, SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image -# docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 +# TODO: Move this section - consider using a different file for the repository template dependencies. +# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks +# docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image +# docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags +# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags +# docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags +# docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh index e6db92f6..9e7f3dc6 100755 --- a/scripts/githooks/scan-secrets.sh +++ b/scripts/githooks/scan-secrets.sh @@ -10,8 +10,8 @@ set -euo pipefail # $ ./scan-secrets.sh # # Options: -# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is `staged-changes` -# VERBOSE=true # Show all the executed commands, default is `false` +# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is 'staged-changes' +# VERBOSE=true # Show all the executed commands, default is 'false' # FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' # # Exit codes: diff --git a/scripts/reports/perform-static-analysis.sh b/scripts/reports/perform-static-analysis.sh index b0a1b6f9..f52c068b 100755 --- a/scripts/reports/perform-static-analysis.sh +++ b/scripts/reports/perform-static-analysis.sh @@ -17,12 +17,8 @@ set -euo pipefail # SONAR_TOKEN=token # SonarCloud token # # Options: -# VERBOSE=true # Show all the executed commands, default is `false` - -# ============================================================================== - -# SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags, use the `linux/amd64` os/arch -image_version=5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 +# VERBOSE=true # Show all the executed commands, default is 'false' +# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false' # ============================================================================== @@ -30,14 +26,35 @@ function main() { cd "$(git rev-parse --show-toplevel)" - create-report + if command -v sonar-scanner > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then + cli-run-sonar-scanner + else + docker-run-sonar-scanner + fi } -function create-report() { +# Run Sonar Scanner natively. +function cli-run-sonar-scanner() { + + sonar-scanner \ + -Dproject.settings="$PWD/scripts/config/sonar-scanner.properties" \ + -Dsonar.branch.name="${BRANCH_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \ + -Dsonar.organization="$SONAR_ORGANISATION_KEY" \ + -Dsonar.projectKey="$SONAR_PROJECT_KEY" \ + -Dsonar.token="$SONAR_TOKEN" +} + +# Run Sonar Scanner in a Docker container. +function docker-run-sonar-scanner() { + + # shellcheck disable=SC1091 + source ./scripts/docker/docker.lib.sh + # shellcheck disable=SC2155 + local image=$(name=sonarsource/sonar-scanner-cli docker-get-image-version-and-pull) docker run --rm --platform linux/amd64 \ --volume "$PWD":/usr/src \ - sonarsource/sonar-scanner-cli:$image_version \ + "$image" \ -Dproject.settings=/usr/src/scripts/config/sonar-scanner.properties \ -Dsonar.branch.name="${BRANCH_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \ -Dsonar.organization="$SONAR_ORGANISATION_KEY" \