feat: refine Dockerfile for improved Trivy integration and artifact handling

Author: adilhusain-s

python-versions/Dockerfile

@@ -16,14 +16,10 @@ ARG PYTHON_VERSION
 ARG ACTIONS_PYTHON_VERSIONS
 ARG TRIVY_VERSION
 
-# Many base images (including our `powershell` image) switch to a non-root
-# runtime user for security. The builder stage must perform system package
-# installs and compile steps which require root. Explicitly switch back to
-# `root` here so all following RUN steps have the privileges they need.
+# Switch to root for installation privileges
 USER root
 
-# Use bash with pipefail so any command in a pipeline failing will cause the
-# whole RUN step to fail (safer for build-time checks and early failure).
+# Use bash with pipefail for safety
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Build environment and compiler hardening flags
@@ -44,7 +40,7 @@ ENV pythonLocation=${PYTHON_INSTALL_DIR} \
     RUNNER_TEMP=/tmp \
     RUNNER_TOOL_CACHE=/opt
 
-# Combined Install Step (Essential + Core + Optional) to reduce layers.
+# Combined Install Step (Essential + Core + Optional)
 RUN apt-get -qq update -y && \
     apt-get -qq -y install --no-install-recommends \
     tzdata curl wget gcc g++ make git ca-certificates \
@@ -57,18 +53,18 @@ RUN apt-get -qq update -y && \
     python3 pkg-config sudo libmpdec-dev libbluetooth-dev libz-dev || true) && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# Install Trivy (used for local security gates)
+# Install Trivy
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
 
-# Clone Python
+# Clone Python Build Scripts
 RUN if [ ! -d /python-versions ]; then git clone https://github.com/actions/python-versions.git /python-versions; fi
 WORKDIR /python-versions
 RUN git checkout "${ACTIONS_PYTHON_VERSIONS}" && git submodule init && git submodule update
 
-# [CEVS STEP 1] Scan Source Code BEFORE Build
+# [CEVS STEP 1] Scan Source Code
 RUN trivy fs --scanners secret,misconfig --exit-code 1 ./
 
-# Build Python & Restore Artifact (FIXED LOGIC)
+# Build Python & Restore Artifact
 # The `build-python.ps1` script creates a compiled tarball in `/tmp/artifact` and
 # cleans up the `/opt` directory to save space. We immediately extract that
 # artifact back into place so `python-tests.ps1` can find the binaries.
@@ -97,31 +93,27 @@ RUN export MAKEFLAGS="-j $(nproc)" && \
     ${PYTHON_INSTALL_DIR}/bin/python3 -c "import ssl; print('Python installed and SSL verified')"
 
 # [CEVS STEP 2] Scan the Compiled Artifact (The Gatekeeper)
-# Generate SBOM (Only happens if CEVS passed) and place it in /tmp/artifact
+# Generate SBOM & Reports
 RUN mkdir -p /tmp/artifact && \
     trivy fs --format cyclonedx --output /tmp/artifact/python-${PYTHON_VERSION}-${TARGETARCH}.sbom.json ${PYTHON_INSTALL_DIR} || true
 
-# Also write Trivy JSON reports (vuln and secret/misconfig) into /tmp/artifact
+# Write Trivy JSON reports
 RUN trivy --download-db-only || true; \
     trivy fs --format json --output /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json --scanners vuln ${PYTHON_INSTALL_DIR} || true && \
     trivy fs --format json --output /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json --scanners secret,misconfig ${PYTHON_INSTALL_DIR} || true
 
-# Create a small gate script to parse Trivy JSON and decide whether to fail
-# the build. This provides a single place to tune thresholds or ignore rules.
+# Create the Gate Script
 COPY <<EOF /usr/local/bin/trivy-gate.sh
 #!/bin/sh
 set -e
-# Inputs: vuln-json, secret-json
 VULN_JSON=\${1:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json}
 SECRET_JSON=\${2:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json}
-# Controls: Set these env vars to tune build gating behavior
 FAIL_ON_CRITICAL=\${FAIL_ON_CRITICAL:-1}
 FAIL_ON_HIGH=\${FAIL_ON_HIGH:-0}
 FAIL_ON_MEDIUM=\${FAIL_ON_MEDIUM:-0}
 FAIL_ON_SECRET=\${FAIL_ON_SECRET:-1}
-echo "Trivy Gate: checking \$VULN_JSON and \$SECRET_JSON"
 
-# Initialize counters
+echo "Trivy Gate: checking \$VULN_JSON and \$SECRET_JSON"
 critical=0; high=0; medium=0; secrets=0
 
 if [ -f "\$VULN_JSON" ]; then
@@ -135,31 +127,29 @@ fi
 
 echo "Counts => CRITICAL=\$critical HIGH=\$high MEDIUM=\$medium SECRETS=\$secrets"
 
-if [ "\$FAIL_ON_CRITICAL" -eq 1 -a "\$critical" -gt 0 ]; then
-    echo "ERROR: Trivy found CRITICAL vulnerabilities: \$critical"
-    exit 1
-fi
-if [ "\$FAIL_ON_HIGH" -eq 1 -a "\$high" -gt 0 ]; then
-    echo "ERROR: Trivy found HIGH vulnerabilities: \$high"
-    exit 1
-fi
-if [ "\$FAIL_ON_SECRET" -eq 1 -a "\$secrets" -gt 0 ]; then
-    echo "ERROR: Trivy found secrets/misconfigs: \$secrets"
+BLOCK=false
+if [ "\$FAIL_ON_CRITICAL" -eq 1 ] && [ "\$critical" -gt 0 ]; then BLOCK=true; fi
+if [ "\$FAIL_ON_HIGH" -eq 1 ] && [ "\$high" -gt 0 ]; then BLOCK=true; fi
+if [ "\$FAIL_ON_SECRET" -eq 1 ] && [ "\$secrets" -gt 0 ]; then BLOCK=true; fi
+
+# Write result for Makefile extraction
+printf '{"critical":%d,"high":%d,"medium":%d,"secrets":%d,"block":%s}\n' "\$critical" "\$high" "\$medium" "\$secrets" "\$BLOCK" > /tmp/artifact/trivy-gate-result.json
+
+if [ "\$BLOCK" = "true" ]; then
+    echo "GATE FAILED."
     exit 1
+else
+    echo "GATE PASSED."
+    exit 0
 fi
-
-echo "Trivy gate passed; no blocker findings."
-exit 0
 EOF
 RUN chmod +x /usr/local/bin/trivy-gate.sh
 
-# Run the gate. Note: FAIL_ON_CRITICAL is set to 0 here to allow build to pass
-# during development/debugging, but the reports are generated above.
-RUN FAIL_ON_CRITICAL=0 FAIL_ON_HIGH=0 FAIL_ON_MEDIUM=0 FAIL_ON_SECRET=0 /usr/local/bin/trivy-gate.sh /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json || true
+# Run the gate (non-blocking for now so artifacts are exported)
+RUN FAIL_ON_CRITICAL=0 FAIL_ON_HIGH=0 FAIL_ON_MEDIUM=0 FAIL_ON_SECRET=0 /usr/local/bin/trivy-gate.sh || true
 
 # Run Tests
 WORKDIR /python-versions/tests
-# Ensure the build output log exists (created during pwsh build) for tests to analyze
 RUN cp $RUNNER_TEMP/work/build_output.txt $RUNNER_TEMP/ || touch $RUNNER_TEMP/build_output.txt
 RUN pwsh -Command "Install-Module -Name Pester -Force -Scope CurrentUser -SkipPublisherCheck" && \
     AGENT_TOOLSDIRECTORY=/opt RUNNER_TOOL_CACHE=/opt pwsh python-tests.ps1 ${PYTHON_VERSION} linux ${TARGETARCH}
@@ -175,7 +165,7 @@ FROM ubuntu:${UBUNTU_VERSION} AS final
 ARG PYTHON_VERSION
 ARG TARGETARCH
 
-# Set up a non-root user (Security Best Practice)
+# Set up a non-root user
 RUN groupadd -g 10001 python_group && \
     useradd -u 10001 -g python_group -s /bin/bash -m python_user
 
@@ -185,8 +175,11 @@ RUN apt-get update && \
     ca-certificates openssl libssl3 libffi8 libsqlite3-0 liblzma5 libbz2-1.0 zlib1g && \
     rm -rf /var/lib/apt/lists/*
 
-# Copy Artifacts
+# Copy Installed Python
 COPY --from=builder /opt/Python/${PYTHON_VERSION}/${TARGETARCH} /opt/Python/${PYTHON_VERSION}/${TARGETARCH}
+
+# [IMPORTANT] Copy Build Artifacts & Reports so Makefile can extract them
+COPY --from=builder /tmp/artifact /tmp/artifact
 COPY --from=builder /tmp/artifact/python-${PYTHON_VERSION}-${TARGETARCH}.sbom.json /opt/python-sbom.json
 
 # Clean Source