[PRM-227] Updated Container Image OS versions to latest version of Alpine (#278)

* [PRM-227] upgraded Alpine to 3.23 and Node to 24

* [PRM-227] Upgraded all OS images to latest Alpine

* [PRM-227] Added apk upgrade to each Docker File

* [PRM-227] Replaced aws-cli pip3 install with APK install

* [PRM-227] removed aws-helpers

* [PRM-227] Added SBOM scanning for images after push to ECR

* [PRM-227] Fixed typo in Dockerfile

Author: AndyFlintAnswerDigital

.github/workflows/base-java-service-jobs.yml

@@ -116,6 +116,24 @@ jobs:
           set -euo pipefail
           docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
 
+      - name: Generate SBOM for Docker Image
+        uses: anchore/sbom-action@v0
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          image: ${{ steps.ecr-login.outputs.registry }}/${{ inputs.image_prefix }}${{ inputs.service }}:${{ github.sha }}
+          format: cyclonedx-json
+          output-file: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+
+      - name: Scan SBOM for Docker Image
+        uses: anchore/scan-action@v7
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          sbom: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+          fail-build: true
+          severity-cutoff: low
+          only-fixed: true
+          output-format: table
+
   deploy_infra:
     name: Deploy Infrastructure
     needs: [build_and_publish]

.github/workflows/base-node-service-jobs.yml

@@ -148,6 +148,24 @@ jobs:
           set -euo pipefail
           docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
 
+      - name: Generate SBOM for Docker Image
+        uses: anchore/sbom-action@v0
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          image: ${{ steps.ecr-login.outputs.registry }}/deductions/${{ inputs.service }}:${{ github.sha }}
+          format: cyclonedx-json
+          output-file: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+
+      - name: Scan SBOM for Docker Image
+        uses: anchore/scan-action@v7
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          sbom: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+          fail-build: true
+          severity-cutoff: low
+          only-fixed: true
+          output-format: table
+
   deploy_infra:
     name: Deploy Infrastructure
     needs: [build_and_publish]

.github/workflows/base-python-service-jobs.yml

@@ -98,6 +98,24 @@ jobs:
         run: |
           docker push "$ECR_URI:$IMAGE_TAG"
 
+      - name: Generate SBOM for Docker Image
+        uses: anchore/sbom-action@v0
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          image: ${{ steps.ecr-repo.outputs.uri }}:${{ github.sha }}
+          format: cyclonedx-json
+          output-file: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+
+      - name: Scan SBOM for Docker Image
+        uses: anchore/scan-action@v7
+        if: ${{ inputs.environment == 'development' }}
+        with:
+          sbom: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
+          fail-build: true
+          severity-cutoff: low
+          only-fixed: true
+          output-format: table
+
   deploy_infra:
     if: ${{ inputs.deploy_infra && inputs.is_deployment }}
     name: Deploy Infrastructure

services/ehr-out-service/Dockerfile

@@ -1,4 +1,9 @@
-FROM node:22.5-alpine AS builder
+FROM node:24-alpine3.23 AS builder
+
+RUN apk update && \
+    apk -u list && \
+    apk upgrade && \
+    rm -rf /var/cache/apk/*
 
 COPY package*.json /app/
 
@@ -7,7 +12,7 @@ WORKDIR /app
 RUN npm ci --omit=dev
 
 # production app image
-FROM alpine:3.15
+FROM alpine:3.23
 
 # take just node without npm (including npx) or yarn
 COPY --from=builder /usr/local/bin/node /usr/local/bin
@@ -16,16 +21,9 @@ COPY --from=builder /usr/local/bin/node /usr/local/bin
 COPY --from=builder /app /app
 
 RUN apk update && \
-    apk add --no-cache bash tini && \
+    apk add --no-cache bash tini aws-cli && \
     rm -rf /var/cache/apk/*
 
-RUN apk add --no-cache \
-        python3 \
-        py3-pip \
-    && pip3 install --upgrade pip \
-    && pip3 install \
-        awscli \
-    && rm -rf /var/cache/apk/*
 
 COPY build/                   /app/build