👮 Add static analysis feature (#22)

* Add static analysis feature

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

* Add static analysis feature changelog

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

* Fix for artefact naming

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

---------

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

features/src/static-analysis/CHANGELOG.md

@@ -0,0 +1,15 @@
+<!-- markdownlint-disable MD003 MD024 -->
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.0.1] - 2024-02-12
+
+### Added
+
+- Initial release of feature

features/src/static-analysis/devcontainer-feature.json

@@ -0,0 +1,18 @@
+{
+  "id": "static-analysis",
+  "version": "0.0.1",
+  "name": "Static Analysis",
+  "description": "Installs Checkov and Trivy",
+  "options": {
+    "checkovVersion": {
+      "type": "string",
+      "description": "Version of Checkov CLI to install",
+      "default": "latest"
+    },
+    "trivyVersion": {
+      "type": "string",
+      "description": "Version of Trivy CLI to install",
+      "default": "latest"
+    }
+  }
+}

features/src/static-analysis/install-checkov-cli.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+# shellcheck source=/dev/null
+# file not accessible until being built
+source /usr/local/bin/devcontainer-utils
+
+get_system_architecture
+
+GITHUB_REPOSITORY="bridgecrewio/checkov"
+VERSION="${CHECKOVCLIVERSION:-"latest"}"
+
+if [[ "${VERSION}" == "latest" ]]; then
+  get_github_latest_tag "${GITHUB_REPOSITORY}"
+  VERSION="${GITHUB_LATEST_TAG}"
+  VERSION_STRIP_V="${GITHUB_LATEST_TAG_STRIP_V}"
+else
+  # shellcheck disable=SC2034
+  VERSION_STRIP_V="${VERSION#v}"
+fi
+
+pip_install "checkov==${VERSION}"

features/src/static-analysis/install-trivy-cli.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -e
+
+# shellcheck source=/dev/null
+# file not accessible until being built
+source /usr/local/bin/devcontainer-utils
+
+get_system_architecture
+
+GITHUB_REPOSITORY="aquasecurity/trivy"
+VERSION="${TRIVYCLIVERSION:-"latest"}"
+
+if [[ "${VERSION}" == "latest" ]]; then
+  get_github_latest_tag "${GITHUB_REPOSITORY}"
+  VERSION="${GITHUB_LATEST_TAG}"
+  VERSION_STRIP_V="${GITHUB_LATEST_TAG_STRIP_V}"
+else
+  # shellcheck disable=SC2034
+  VERSION_STRIP_V="${VERSION#v}"
+fi
+
+if [[ "${ARCHITECTURE}" == "amd64" ]]; then
+  ARCHITECTURE="64bit"
+elif [[ "${ARCHITECTURE}" == "arm64" ]]; then
+  ARCHITECTURE="ARM64"
+fi
+
+curl --fail-with-body --location "https://github.com/${GITHUB_REPOSITORY}/releases/download/${VERSION}/trivy_${VERSION_STRIP_V}_Linux-${ARCHITECTURE}.tar.gz" \
+  --output "trivy_${VERSION_STRIP_V}_Linux-${ARCHITECTURE}.tar.gz"
+
+tar --extract --file "trivy_${VERSION_STRIP_V}_Linux-${ARCHITECTURE}.tar.gz"
+
+install --owner=vscode --group=vscode --mode=775 trivy /usr/local/bin/trivy
+
+rm --recursive --force rm -rf LICENSE README.md contrib "trivy_${VERSION_STRIP_V}_Linux-${ARCHITECTURE}.tar.gz"

features/src/static-analysis/install.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# shellcheck source=/dev/null
+# file not accessible until being built
+source /usr/local/bin/devcontainer-utils
+
+logger "info" "Installing Checkov CLI (version: ${CHECKOVCLIVERSION})"
+bash "$(dirname "${0}")"/install-checkov-cli.sh
+
+logger "info" "Installing Trivy CLI (version: ${TRIVYCLIVERSION})"
+bash "$(dirname "${0}")"/install-trivy-cli.sh

features/test/static-analysis/test.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+
+# shellcheck source=/dev/null
+# file only accessible when using devcontainer CLI
+source dev-container-features-test-lib
+
+check "checkov version" checkov --version
+check "trivy version" trivy --version
+
+reportResults