container scans

.codacy-cli.sh

@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+
+
+set -e +o pipefail
+
+# Set up paths first
+bin_name="codacy-cli-v2"
+
+# Determine OS-specific paths
+os_name=$(uname)
+arch=$(uname -m)
+
+case "$arch" in
+"x86_64")
+  arch="amd64"
+  ;;
+"x86")
+  arch="386"
+  ;;
+"aarch64"|"arm64")
+  arch="arm64"
+  ;;
+esac
+
+if [ -z "$CODACY_CLI_V2_TMP_FOLDER" ]; then
+    if [ "$(uname)" = "Linux" ]; then
+        CODACY_CLI_V2_TMP_FOLDER="$HOME/.cache/codacy/codacy-cli-v2"
+    elif [ "$(uname)" = "Darwin" ]; then
+        CODACY_CLI_V2_TMP_FOLDER="$HOME/Library/Caches/Codacy/codacy-cli-v2"
+    else
+        CODACY_CLI_V2_TMP_FOLDER=".codacy-cli-v2"
+    fi
+fi
+
+version_file="$CODACY_CLI_V2_TMP_FOLDER/version.yaml"
+
+
+get_version_from_yaml() {
+    if [ -f "$version_file" ]; then
+        local version=$(grep -o 'version: *"[^"]*"' "$version_file" | cut -d'"' -f2)
+        if [ -n "$version" ]; then
+            echo "$version"
+            return 0
+        fi
+    fi
+    return 1
+}
+
+get_latest_version() {
+    local response
+    if [ -n "$GH_TOKEN" ]; then
+        response=$(curl -Lq --header "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/codacy/codacy-cli-v2/releases/latest" 2>/dev/null)
+    else
+        response=$(curl -Lq "https://api.github.com/repos/codacy/codacy-cli-v2/releases/latest" 2>/dev/null)
+    fi
+
+    handle_rate_limit "$response"
+    local version=$(echo "$response" | grep -m 1 tag_name | cut -d'"' -f4)
+    echo "$version"
+}
+
+handle_rate_limit() {
+    local response="$1"
+    if echo "$response" | grep -q "API rate limit exceeded"; then
+          fatal "Error: GitHub API rate limit exceeded. Please try again later"
+    fi
+}
+
+download_file() {
+    local url="$1"
+
+    echo "Downloading from URL: ${url}"
+    if command -v curl > /dev/null 2>&1; then
+        curl -# -LS "$url" -O
+    elif command -v wget > /dev/null 2>&1; then
+        wget "$url"
+    else
+        fatal "Error: Could not find curl or wget, please install one."
+    fi
+}
+
+download() {
+    local url="$1"
+    local output_folder="$2"
+
+    ( cd "$output_folder" && download_file "$url" )
+}
+
+download_cli() {
+    # OS name lower case
+    suffix=$(echo "$os_name" | tr '[:upper:]' '[:lower:]')
+
+    local bin_folder="$1"
+    local bin_path="$2"
+    local version="$3"
+
+    if [ ! -f "$bin_path" ]; then
+        echo "📥 Downloading CLI version $version..."
+
+        remote_file="codacy-cli-v2_${version}_${suffix}_${arch}.tar.gz"
+        url="https://github.com/codacy/codacy-cli-v2/releases/download/${version}/${remote_file}"
+
+        download "$url" "$bin_folder"
+        tar xzfv "${bin_folder}/${remote_file}" -C "${bin_folder}"
+    fi
+}
+
+# Warn if CODACY_CLI_V2_VERSION is set and update is requested
+if [ -n "$CODACY_CLI_V2_VERSION" ] && [ "$1" = "update" ]; then
+    echo "⚠️  Warning: Performing update with forced version $CODACY_CLI_V2_VERSION"
+    echo "    Unset CODACY_CLI_V2_VERSION to use the latest version"
+fi
+
+# Ensure version.yaml exists and is up to date
+if [ ! -f "$version_file" ] || [ "$1" = "update" ]; then
+    echo "ℹ️  Fetching latest version..."
+    version=$(get_latest_version)
+    mkdir -p "$CODACY_CLI_V2_TMP_FOLDER"
+    echo "version: \"$version\"" > "$version_file"
+fi
+
+# Set the version to use
+if [ -n "$CODACY_CLI_V2_VERSION" ]; then
+    version="$CODACY_CLI_V2_VERSION"
+else
+    version=$(get_version_from_yaml)
+fi
+
+
+# Set up version-specific paths
+bin_folder="${CODACY_CLI_V2_TMP_FOLDER}/${version}"
+
+mkdir -p "$bin_folder"
+bin_path="$bin_folder"/"$bin_name"
+
+# Download the tool if not already installed
+download_cli "$bin_folder" "$bin_path" "$version"
+chmod +x "$bin_path"
+
+run_command="$bin_path"
+if [ -z "$run_command" ]; then
+    fatal "Codacy cli v2 binary could not be found."
+fi
+
+if [ "$#" -eq 1 ] && [ "$1" = "download" ]; then
+    echo "Codacy cli v2 download succeeded"
+else
+    eval "$run_command $*"
+fi

.github/workflows/codacy-container-scan.yml

@@ -0,0 +1,52 @@
+name: Codacy Container Scanning
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+
+jobs:
+  codacy-container-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          docker build -t engine-helper:${{ github.sha }} .
+          docker tag engine-helper:${{ github.sha }} engine-helper:latest
+
+      - name: Download Codacy CLI v2
+        run: |
+          curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh -o codacy-cli.sh
+          bash codacy-cli.sh download
+
+      - name: Initialize Codacy CLI v2
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+        run: |
+          bash codacy-cli.sh init \
+            --api-token "${CODACY_API_TOKEN}" \
+            --provider gh \
+            --organization codacy-acme \
+            --repository engine-helper
+
+      - name: Generate and upload SBOM to Codacy
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+        run: |
+          bash codacy-cli.sh upload-sbom \
+            --api-token "${CODACY_API_TOKEN}" \
+            --provider gh \
+            --organization codacy-acme \
+            --repository engine-helper \
+            engine-helper:${{ github.sha }}

CODACY_CONTAINER_SCANNING.md

@@ -0,0 +1,135 @@
+# Codacy Container Scanning Setup
+
+This repository now includes Codacy container scanning capabilities for security analysis of Docker images.
+
+## Files Added
+
+1. **Dockerfile** - Multi-stage Python build configuration for the engine-helper application
+2. **.github/workflows/codacy-container-scan.yml** - GitHub Actions workflow for automated container scanning
+3. **test-container-scan-local.sh** - Local testing script to verify container scanning before pushing
+
+## Prerequisites
+
+- Docker installed locally
+- Codacy CLI token (from https://app.codacy.com/account/settings/tokens)
+- The engine-helper repository must be set up in Codacy
+
+## Local Testing
+
+### Step 1: Set Your Codacy Token
+
+```bash
+export CODACY_CLI_TOKEN=your_token_here
+```
+
+### Step 2: Run the Local Test Script
+
+```bash
+./test-container-scan-local.sh
+```
+
+This script will:
+1. Verify Docker is installed
+2. Build the Docker image
+3. Run Codacy container scanning (if token is set)
+4. Display next steps
+
+### Example Output
+
+```
+==========================================
+Codacy Container Scanning - Local Test
+==========================================
+
+Step 1: Building Docker image...
+✓ Docker image built: engine-helper:local-test
+
+Step 2: Running Codacy container scan...
+...
+```
+
+## GitHub Actions Workflow
+
+The workflow (`codacy-container-scan.yml`) is configured to:
+
+- **Triggers**: 
+  - Push to `main` and `develop` branches
+  - Pull requests to `main` and `develop` branches
+  - Daily scheduled run at 2 AM UTC
+
+- **Actions**:
+  1. Checkout code
+  2. Build Docker image
+  3. Run Codacy container security scan via SBOM
+  4. Upload scan artifacts (if available)
+
+## GitHub Secret Configuration
+
+Before the workflow runs on GitHub, you need to add your Codacy CLI token as a secret:
+
+1. Go to your repository settings
+2. Navigate to **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Name: `CODACY_CLI_TOKEN`
+5. Value: Your Codacy API token from https://app.codacy.com/account/settings/tokens
+6. Click **Add secret**
+
+## Monitoring Results
+
+After deployment:
+
+1. GitHub: Check workflow runs in **Actions** tab
+2. Codacy Dashboard: https://app.codacy.com
+3. Security Issues: Check the **Security** tab for container scan results
+
+## Troubleshooting
+
+### Local Test Issues
+
+**Docker not found:**
+```bash
+# Install Docker from https://www.docker.com/products/docker-desktop
+```
+
+**Token not set:**
+```bash
+# Verify your token is exported
+echo $CODACY_CLI_TOKEN
+
+# If empty, export it again
+export CODACY_CLI_TOKEN=your_token_here
+```
+
+### GitHub Actions Issues
+
+**Secret not found:**
+- Verify the secret is added to the repository (check **Settings** → **Secrets**)
+- Secrets are not inherited from organization settings
+
+**Scan fails with authentication error:**
+- Verify the token is correct and not expired
+- Check token permissions in Codacy
+
+**Image build fails:**
+- Check Docker build output
+- Verify all dependencies in `requirements.txt` are installable
+
+## Next Steps
+
+1. ✅ Local testing: Run `./test-container-scan-local.sh`
+2. Verify Docker image builds successfully
+3. Commit changes to git:
+   ```bash
+   git add Dockerfile .github/workflows/codacy-container-scan.yml test-container-scan-local.sh
+   git commit -m "Add Codacy container scanning"
+   git push origin main
+   ```
+4. Add the `CODACY_CLI_TOKEN` secret to GitHub repository settings
+5. Push a change to trigger the workflow or check **Actions** tab for scheduled runs
+
+## Additional Resources
+
+- [Codacy CLI Documentation](https://docs.codacy.com/codacy-cli/overview/)
+- [Container Scanning Guide](https://docs.codacy.com/codacy-cli/container-scanning/)
+- [SBOM Uploads](https://docs.codacy.com/codacy-cli/sbom-uploads/)
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)

Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.8
+
+WORKDIR /app
+
+COPY main.py .
+
+CMD ["python", "main.py"]

requirements.txt

@@ -13,7 +13,7 @@ idna==3.2
 kiwisolver==1.3.2
 lxml==4.7.1
 matplotlib==3.5.1
-numpy==1.21.4
+numpy==1.26.4
 packaging==21.3
 Pillow==8.4.0
 pycodestyle==2.7.0