move stuff around

Author: anthony-nhs

.github/workflows/quality-checks.yml

@@ -249,6 +249,33 @@ jobs:
 
       - name: Run unit tests
         run: make test
+      - name: Build docker images
+        if: ${{ inputs.run_docker_scan == true }}
+        run: |
+          make docker-build
+      - name: Determine docker images to scan
+        id: normalized_docker_images
+        run: |
+          if [ "${{ inputs.run_docker_scan }}" != "true" ]; then
+            echo "Docker scanning disabled; emitting empty image list."
+            echo 'images=[]' >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          INPUT='${{ inputs.docker_images }}'
+
+
+          if [ -z "$INPUT" ]; then
+            INPUT="[]"
+          fi
+
+          if [ "$INPUT" = "[]" ]; then
+            echo "No docker images provided"
+            exit 1
+          else
+            echo "Using provided docker images: $INPUT"
+            echo "images=$INPUT" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Generate SBOM
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
@@ -317,35 +344,6 @@ jobs:
           output: "dependency_results_java.txt"
           exit-code: "1"
           trivy-config: trivy.yaml
-      - name: Build docker images
-        if: ${{ inputs.run_docker_scan == true }}
-        run: |
-          make docker-build
-
-      - name: Determine docker images to scan
-        id: normalized_docker_images
-        run: |
-          if [ "${{ inputs.run_docker_scan }}" != "true" ]; then
-            echo "Docker scanning disabled; emitting empty image list."
-            echo 'images=[]' >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          INPUT='${{ inputs.docker_images }}'
-
-
-          if [ -z "$INPUT" ]; then
-            INPUT="[]"
-          fi
-
-          if [ "$INPUT" = "[]" ]; then
-            echo "No docker images provided"
-            exit 1
-          else
-            echo "Using provided docker images: $INPUT"
-            echo "images=$INPUT" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Show vulnerability output
         if: always()
         run: |

README.md

@@ -4,6 +4,24 @@ A collection of common workflows used by other EPS repositories
 
 The workflows that are available to use are
 
+## Adding exclusions to trivy scanning
+The quality checks job uses trivy to scan for vulnerabilities.   
+There may be times you want to add an exclusion for a known vulnerability that we are happy to accept
+To do this, in the calling repo, add trivy.yaml with this content
+```
+ignorefile: ".trivyignore.yaml"
+```
+and add a .trivyignore.yaml with this content
+```
+vulnerabilities:
+  - id: CVE-2026-24842
+    paths:
+      - "package-lock.json"
+    statement: downstream dependency for tar - waiting for new npm release
+    expired_at: 2026-06-01
+```
+See https://trivy.dev/docs/latest/configuration/filtering/#trivyignoreyaml for more details
+
 ## combine dependabot prs
 
 This workflow can be called to combine multiple open Dependabot PRs into a single PR.
@@ -96,17 +114,21 @@ jobs:
 This workflow runs common quality checks.   
 To use this, you must have the following Makefile targets defined
 - install
-- check-licences
 - lint
 - test
+- install-node (only for cdk projects)
+- compile (only for cdk projects)
 - cdk-synth (only for cdk projects)
+- docker-build (only if run_docker_scan is set to true)
 
 #### Inputs
 
 - `install_java`: Whether to install java or not
 - `run_sonar`: Whether to run sonar checks or not.
 - `asdfVersion`: Override the version of asdf to install.
 - `reinstall_poetry`: If you are using this from a primarily python based project, you should set this to true to force a poetry reinstallation after python is installed
+- `run_docker_scan`: whether to run a scan of docker images
+- `docker_images`: array of docker images to scan. These must match images produced by make docker-build
 
 #### Secret Inputs
 - `SONAR_TOKEN`: Token used to authenticate to sonar