Lcs 867 review sonarqube vulnerabilities in GitHub pipelines (#459)

mrlockstar · web-flow · commit efe243a27693 · 2026-05-06T16:19:59.000+01:00
# What is the change?

This PR implements several improvements based on SonarQube
recommendations, including security fixes, code reliability
enhancements, and general refactoring for better reusability.

Although the original scope was focused on security, it made sense to
address related quality improvements at the same time.

Please note that this will not resolve all the issues; its more a first
pass at fixing them. More PRs will follow.


&lt;!-- Describe the intended changes. --&gt;

# Why are we making this change?

To ensure the repository can remain public while adhering to SonarQube
best practices, particularly around security, maintainability, and code
quality.

&lt;!-- Why is this change required? What problem does it solve? --&gt;
diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml
@@ -13,8 +13,9 @@ runs:
         check_only=true scripts/githooks/check-terraform-format.sh
     - name: "Validate Terraform"
       shell: bash
+      env:
+        STACKS: ${{ inputs.root-modules }}
       run: |
-        stacks=${{ inputs.root-modules }}
-        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+        for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${STACKS//,/$'\n'}); do
           dir=$dir make terraform-validate
         done
diff --git a/infrastructure/bootstrap/core.bicep b/infrastructure/bootstrap/core.bicep
@@ -6,10 +6,6 @@ param miPrincipalId string
 @minLength(1)
 param miName string
 
-param userGroupPrincipalID string
-
-param userGroupName string
-
 // See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 var roleID = {
   contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
diff --git a/infrastructure/bootstrap/hub.bicep b/infrastructure/bootstrap/hub.bicep
@@ -44,6 +44,8 @@ var privateEndpointSubnetName = 'sn-hub-${hubType}-${regionShortName}-private-en
 var storageAccountName = 'sa${appShortName}${hubType}${regionShortName}state'
 var computeGalleryName = '${appShortName}_hub_compute_gallery'
 
+var roleDefinitions = 'Microsoft.Authorization/roleDefinitions'
+
 var miADOtoAZname = 'mi-${appShortName}-${hubType}-adotoaz-${regionShortName}'
 var miGHtoADOname = 'mi-${appShortName}-${hubType}-ghtoado-${regionShortName}'
 
@@ -163,7 +165,7 @@ module managedIdentiyADOtoAZ 'modules/managedIdentity.bicep' = {
 resource networkContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'networkContributor')
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.networkContributor)
+    roleDefinitionId: subscriptionResourceId(roleDefinitions, roleID.networkContributor)
     principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
     description: '${miADOtoAZname} Network Contributor access to subscription'
   }
@@ -186,7 +188,7 @@ resource userAccessAdministratorAssignment 'Microsoft.Authorization/roleAssignme
 resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'CDNContributor')
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.CDNContributor)
+    roleDefinitionId: subscriptionResourceId(roleDefinitions, roleID.CDNContributor)
     principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
     description: '${miADOtoAZname} CDN Contributor access to subscription'
   }
@@ -196,7 +198,7 @@ resource CDNContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-
 resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'TerraformContributor')
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.contributor)
+    roleDefinitionId: subscriptionResourceId(roleDefinitions, roleID.contributor)
     principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
     description: '${miADOtoAZname} Terraform Contributor access to subscription'
   }
@@ -206,7 +208,7 @@ resource TerraformContributorAssignment 'Microsoft.Authorization/roleAssignments
 resource StorageAccountBlobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'StorageAccountBlobContributorAssignment')
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.storageBlobDataContributor)
+    roleDefinitionId: subscriptionResourceId(roleDefinitions, roleID.storageBlobDataContributor)
     principalId: managedIdentiyADOtoAZ.outputs.miPrincipalID
     description: '${miADOtoAZname} Storage Account Blob Contributor access to subscription'
   }
@@ -230,7 +232,7 @@ module managedIdentiyGHtoADO 'modules/managedIdentity.bicep' = {
 resource readerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, hubType, 'reader')
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.reader)
+    roleDefinitionId: subscriptionResourceId(roleDefinitions, roleID.reader)
     principalId: managedIdentiyGHtoADO.outputs.miPrincipalID
     description: '${miGHtoADOname} Reader access to subscription'
   }
diff --git a/infrastructure/bootstrap/modules/computeGallery.bicep b/infrastructure/bootstrap/modules/computeGallery.bicep
@@ -10,7 +10,7 @@ resource computeGallery 'Microsoft.Compute/galleries@2023-07-03' = {
   name: galleryName
   location: location
   properties: {
-    description: ''
+    description: 'Compute Gallery for sharing images across subscriptions and regions'
     softDeletePolicy: {
       isSoftDeleteEnabled: false
     }
diff --git a/infrastructure/bootstrap/modules/dns.bicep b/infrastructure/bootstrap/modules/dns.bicep
@@ -19,9 +19,9 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
 }
 
 resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = {
+  location: 'global'
   name: '${last(split(vnetId, '/'))}-link'
   parent: privateDNSZone
-  location: 'global'
   properties: {
     virtualNetwork: {
       id: vnetId
diff --git a/infrastructure/bootstrap/modules/privateEndpoint-spoke.bicep b/infrastructure/bootstrap/modules/privateEndpoint-spoke.bicep
@@ -16,14 +16,14 @@ var groupID = {
 
 // Retrieve the existing vnet resource group
 resource vnetRG 'Microsoft.Resources/resourceGroups@2024-11-01' existing = {
-  name: RGName
   scope: subscription()
+  name: RGName
 }
 
 // Retrieve the existing vnet
 resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {
-  name: vnetName
   scope: vnetRG
+  name: vnetName
 }
 
 // Retrieve the existing Subnet within the vnet
diff --git a/infrastructure/bootstrap/modules/privateEndpoint.bicep b/infrastructure/bootstrap/modules/privateEndpoint.bicep
@@ -17,14 +17,14 @@ var groupID = {
 
 // Retrieve the existing vnet resource group
 resource vnetRG 'Microsoft.Resources/resourceGroups@2024-11-01' existing = {
-  name: RGName
   scope: subscription()
+  name: RGName
 }
 
 // Retrieve the existing vnet
 resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {
-  name: vnetName
   scope: vnetRG
+  name: vnetName
 }
 
 resource privateEndpointSubnet 'Microsoft.Network/virtualNetworks/subnets@2025-01-01' = {
diff --git a/infrastructure/bootstrap/modules/storage.bicep b/infrastructure/bootstrap/modules/storage.bicep
@@ -61,11 +61,6 @@ resource blobContainer 'Microsoft.Storage/storageAccounts/blobServices/container
   }
 }
 
-// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
-var roleID = {
-  blobContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-}
-
 // Define role assignments array
 var roleAssignments = [
   {
@@ -75,6 +70,11 @@ var roleAssignments = [
   }
 ]
 
+// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+var roleID = {
+  blobContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+}
+
 // Let the managed identity edit the terraform state
 resource blobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, miPrincipalID, 'blobContributor')
diff --git a/lung_cancer_screening/questions/forms/agree_terms_of_use_form.py b/lung_cancer_screening/questions/forms/agree_terms_of_use_form.py
@@ -8,15 +8,16 @@
 class TermsOfUseForm(forms.ModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        terms_of_use = "Agree to the terms of use to continue"
         self.fields["value"] = MultipleChoiceField(
             choices=[(True, 'I agree')],
             widget=forms.CheckboxSelectMultiple,
             label="Accept terms of use",
             label_classes="nhsuk-u-visually-hidden",
             error_messages={
-                "required": "Agree to the terms of use to continue",
-                "invalid_choice": "Agree to the terms of use to continue",
-                "invalid_list": "Agree to the terms of use to continue"
+                "required": terms_of_use,
+                "invalid_choice": terms_of_use,
+                "invalid_list": terms_of_use
             }
         )
     class Meta:
diff --git a/scripts/bash/container_app_smoke_test.sh b/scripts/bash/container_app_smoke_test.sh
@@ -8,9 +8,9 @@ DNS_ZONE_NAME=$3
 PR_NUMBER=${4:-}
 USE_APEX_DOMAIN=${5:-false}
 
-if [ -z "$PR_NUMBER" ]; then
+if [[ -z "$PR_NUMBER" ]]; then
     # Permanent environments
-    if [ "$USE_APEX_DOMAIN" = "true" ]; then
+    if [[ "$USE_APEX_DOMAIN" = "true" ]]; then
         # For production with apex domain
         ENDPOINT="https://${DNS_ZONE_NAME}/sha"
     else
@@ -33,7 +33,7 @@ while true; do
   # It should fail initially until front door presents the right certificate.
   if ACTUAL_SHA=$(curl -fsS "$ENDPOINT" 2>/dev/null); then
     echo "Endpoint responded: $ACTUAL_SHA"
-    if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
+    if [[ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]]; then
       echo "✅ SHA matches expected commit: $EXPECTED_SHA"
       exit 0
     else
@@ -43,7 +43,7 @@ while true; do
 
   now=$(date +%s)
   elapsed=$((now - start_time))
-  if [ $elapsed -ge $TIMEOUT ]; then
+  if [[ $elapsed -ge $TIMEOUT ]]; then
     echo "❌ Timeout: Endpoint did not become ready within ${TIMEOUT}s"
     exit 1
   fi
diff --git a/scripts/bash/resource_group_init.sh b/scripts/bash/resource_group_init.sh
@@ -15,7 +15,7 @@ userGroupName="screening_${APP_SHORT_NAME}_${ENV_CONFIG}"
 echo "Fetching object id for group: $userGroupName"
 userGroupPrincipalID=$(az ad group show --group "$userGroupName" --query id -o tsv)
 
-if [ -z "$userGroupPrincipalID" ]; then
+if [[ -z "$userGroupPrincipalID" ]]; then
   echo "Error: Group '$userGroupName' not found in Entra ID"
   exit 1
 fi
@@ -47,5 +47,4 @@ miPrincipalID=$(echo "$output" | jq -r '.properties.outputs.miPrincipalID.value'
 echo "Deploy to core subscription $ARM_SUBSCRIPTION_ID..."
 az deployment sub create --location "$REGION" --template-file infrastructure/bootstrap/core.bicep \
   --subscription "$ARM_SUBSCRIPTION_ID" \
-  --parameters miName="$miName" miPrincipalId="$miPrincipalID" \
-    userGroupPrincipalID="$userGroupPrincipalID" userGroupName="$userGroupName" --confirm-with-what-if
+  --parameters miName="$miName" miPrincipalId="$miPrincipalID" --confirm-with-what-if
diff --git a/scripts/bash/run_container_app_job.sh b/scripts/bash/run_container_app_job.sh
@@ -6,7 +6,7 @@ ENV_CONFIG=$1
 JOB_SHORT_NAME=$2
 PR_NUMBER=${3:-}
 
-if [ -z "$PR_NUMBER" ]; then
+if [[ -z "$PR_NUMBER" ]]; then
     # On permanent environments, the environment name is the environment config name, i.e. "production"
     ENV=${ENV_CONFIG}
 else
diff --git a/scripts/docker/dgoss.sh b/scripts/docker/dgoss.sh
@@ -24,7 +24,7 @@ error() {
 cleanup() {
     set +e
     { kill "$log_pid" && wait "$log_pid"; } 2> /dev/null
-    if [ -n "$CONTAINER_LOG_OUTPUT" ]; then
+    if [[ -n "$CONTAINER_LOG_OUTPUT" ]]; then
         cp "$tmp_dir/docker_output.log" "$CONTAINER_LOG_OUTPUT"
     fi
     rm -rf "$tmp_dir"
@@ -47,7 +47,7 @@ run(){
     case "$GOSS_FILES_STRATEGY" in
       mount)
         info "Starting $CONTAINER_RUNTIME container"
-        if [ "$CONTAINER_RUNTIME" == "podman" -a $# == 2 ]; then
+        if [[ "$CONTAINER_RUNTIME" == "podman" -a $# == 2 ]]; then
             id=$($CONTAINER_RUNTIME run -d -v "$tmp_dir:/goss:z" "${@:2}" sleep infinity)
         else
             id=$($CONTAINER_RUNTIME run -d -v "$tmp_dir:/goss:z" "${@:2}")
@@ -113,7 +113,7 @@ case "$1" in
         fi
         [[ $GOSS_SLEEP ]] && { info "Sleeping for $GOSS_SLEEP"; sleep "$GOSS_SLEEP"; }
         info "Container health"
-        if [ "true" != "$($CONTAINER_RUNTIME inspect -f '{{.State.Running}}' "$id")" ]; then
+        if [[ "true" != "$($CONTAINER_RUNTIME inspect -f '{{.State.Running}}' "$id")" ]]; then
             $CONTAINER_RUNTIME logs "$id" >&2
             error "the container failed to start"
         fi
diff --git a/scripts/docker/docker.lib.sh b/scripts/docker/docker.lib.sh
@@ -49,7 +49,7 @@ function docker-build() {
 
   # Tag the image with all the stated versions, see the documentation for more details
   for version in $(_get-all-effective-versions) latest; do
-    if [ ! -z "$version" ]; then
+    if [[ ! -z "$version" ]]; then
       docker tag "${tag}" "${DOCKER_IMAGE}:${version}"
     fi
   done
@@ -188,7 +188,7 @@ function docker-get-image-version-and-pull() {
   # match it by name and version regex, if given.
   local versions_file="${TOOL_VERSIONS:=$(git rev-parse --show-toplevel)/.tool-versions}"
   local version="latest"
-  if [ -f "$versions_file" ]; then
+  if [[ -f "$versions_file" ]]; then
     line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-".*"}")
     [ -n "$line" ] && version=$(echo "$line" | awk '{print $2}')
   fi
@@ -199,7 +199,7 @@ function docker-get-image-version-and-pull() {
 
   # Check if the image exists locally already
   if ! docker images | awk '{ print $1 ":" $2 }' | grep -q "^${name}:${tag}$"; then
-    if [ "$digest" != "latest" ]; then
+    if [[ "$digest" != "latest" ]]; then
       # Pull image by the digest sha256 and tag it
       docker pull \
         --platform linux/amd64 \
@@ -232,7 +232,7 @@ function _create-effective-dockerfile() {
   # Dockerfile.effective file, otherwise docker won't use it.
   # See https://docs.docker.com/build/building/context/#filename-and-location
   # If using podman, this requires v5.0.0 or later.
-  if [ -f "${dir}/Dockerfile.dockerignore" ]; then
+  if [[ -f "${dir}/Dockerfile.dockerignore" ]]; then
     cp "${dir}/Dockerfile.dockerignore" "${dir}/Dockerfile.effective.dockerignore"
   fi
   cp "${dir}/Dockerfile" "${dir}/Dockerfile.effective"
@@ -250,7 +250,7 @@ function _replace-image-latest-by-specific-version() {
   local dockerfile="${dir}/Dockerfile.effective"
   local build_datetime=${BUILD_DATETIME:-$(date -u +'%Y-%m-%dT%H:%M:%S%z')}
 
-  if [ -f "$versions_file" ]; then
+  if [[ -f "$versions_file" ]]; then
     # First, list the entries specific for Docker to take precedence, then the rest but exclude comments
     content=$(grep " docker/" "$versions_file"; grep -v " docker/" "$versions_file" ||: | grep -v "^#")
     echo "$content" | while IFS= read -r line; do
@@ -262,7 +262,7 @@ function _replace-image-latest-by-specific-version() {
     done
   fi
 
-  if [ -f "$dockerfile" ]; then
+  if [[ -f "$dockerfile" ]]; then
     # shellcheck disable=SC2002
     cat "$dockerfile" | \
       sed "s/\(\${yyyy}\|\$yyyy\)/$(date --date="${build_datetime}" -u +"%Y")/g" | \
@@ -312,7 +312,7 @@ function _get-effective-tag() {
 
   local tag=$DOCKER_IMAGE
   version=$(_get-effective-version)
-  if [ ! -z "$version" ]; then
+  if [[ ! -z "$version" ]]; then
     tag="${tag}:${version}"
   fi
   echo "$tag"
@@ -334,9 +334,9 @@ function _get-git-branch-name() {
 
   local branch_name=$(git rev-parse --abbrev-ref HEAD)
 
-  if [ -n "${GITHUB_HEAD_REF:-}" ]; then
+  if [[ -n "${GITHUB_HEAD_REF:-}" ]]; then
     branch_name=$GITHUB_HEAD_REF
-  elif [ -n "${GITHUB_REF:-}" ]; then
+  elif [[ -n "${GITHUB_REF:-}" ]]; then
     # shellcheck disable=SC2001
     branch_name=$(echo "$GITHUB_REF" | sed "s#refs/heads/##")
   fi

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ resource computeGallery 'Microsoft.Compute/galleries@2023-07-03' = {`
`10`	`10`	`name: galleryName`
`11`	`11`	`location: location`
`12`	`12`	`properties: {`
`13`		`- description: ''`
	`13`	`+ description: 'Compute Gallery for sharing images across subscriptions and regions'`
`14`	`14`	`softDeletePolicy: {`
`15`	`15`	`isSoftDeleteEnabled: false`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,14 +16,14 @@ var groupID = {`
`16`	`16`
`17`	`17`	`// Retrieve the existing vnet resource group`
`18`	`18`	`resource vnetRG 'Microsoft.Resources/resourceGroups@2024-11-01' existing = {`
`19`		`- name: RGName`
`20`	`19`	`scope: subscription()`
	`20`	`+ name: RGName`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`// Retrieve the existing vnet`
`24`	`24`	`resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {`
`25`		`- name: vnetName`
`26`	`25`	`scope: vnetRG`
	`26`	`+ name: vnetName`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`// Retrieve the existing Subnet within the vnet`
Original file line number	Diff line number	Diff line change
`@@ -17,14 +17,14 @@ var groupID = {`
`17`	`17`
`18`	`18`	`// Retrieve the existing vnet resource group`
`19`	`19`	`resource vnetRG 'Microsoft.Resources/resourceGroups@2024-11-01' existing = {`
`20`		`- name: RGName`
`21`	`20`	`scope: subscription()`
	`21`	`+ name: RGName`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`// Retrieve the existing vnet`
`25`	`25`	`resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {`
`26`		`- name: vnetName`
`27`	`26`	`scope: vnetRG`
	`27`	`+ name: vnetName`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`resource privateEndpointSubnet 'Microsoft.Network/virtualNetworks/subnets@2025-01-01' = {`
Original file line number	Diff line number	Diff line change
`@@ -61,11 +61,6 @@ resource blobContainer 'Microsoft.Storage/storageAccounts/blobServices/container`
`61`	`61`	`}`
`62`	`62`	`}`
`63`	`63`
`64`		`-// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles`
`65`		`-var roleID = {`
`66`		`- blobContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'`
`67`		`-}`
`68`		`-`
`69`	`64`	`// Define role assignments array`
`70`	`65`	`var roleAssignments = [`
`71`	`66`	`{`
`@@ -75,6 +70,11 @@ var roleAssignments = [`
`75`	`70`	`}`
`76`	`71`	`]`
`77`	`72`
	`73`	`+// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles`
	`74`	`+var roleID = {`
	`75`	`+ blobContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'`
	`76`	`+}`
	`77`	`+`
`78`	`78`	`// Let the managed identity edit the terraform state`
`79`	`79`	`resource blobContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
`80`	`80`	`name: guid(subscription().subscriptionId, miPrincipalID, 'blobContributor')`