-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathjustfile
More file actions
220 lines (185 loc) · 6.14 KB
/
Copy pathjustfile
File metadata and controls
220 lines (185 loc) · 6.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
# --------------------
# justfile
# --------------------
set shell := ["bash", "-eu", "-o", "pipefail", "-c"]
set dotenv-load := false
help:
@just --list
# --------------------
# Variables
# --------------------
image := "python-insecure-app"
tag := "debian"
timestamp := `date +%Y%m%d%H%M%S`
# --------------------
# Audit & Security
# --------------------
# Audit the SCA and SAST
audit: sca sast
@echo "Audit completed"
# Audit the Software Composition Analysis
sca:
python3 -m pip_audit --require-hashes --disable-pip --requirement requirements/common.txt
# Audit common security issues
sast:
python3 -m bandit --exclude "./.venv,./tests" --quiet --recursive .
# --------------------
# Build
# --------------------
# Build docker image
build: requirements
docker build --pull --tag {{image}}:{{tag}} .
# Build docker alpine image
build_alpine: requirements alpine
# Build docker distroless image
build_distroless: requirements distroless
# Build docker wolfi image
build_wolfi: requirements wolfi
# Build docker wolfi-distroless image
build_wolfi_noshell:
echo "Building wolfi_noshell image..."
docker build --file Dockerfile.wolfi_noshell --tag {{image}}:wolfi-noshell .
# Build alpine image
alpine:
echo "Building alpine image..."
docker build --file Dockerfile.alpine --pull --tag {{image}}:alpine .
# Build distroless image
distroless:
echo "Building distroless image..."
docker build --file Dockerfile.distroless --pull --tag {{image}}:distroless .
# Build wolfi image
wolfi:
echo "Building wolfi image..."
docker build --file Dockerfile.wolfi --pull --tag {{image}}:wolfi .
# --------------------
# Code quality
# --------------------
# Check linting and vulnerabilities
check:
python3 -m ruff format --check .
python3 -m ruff check .
# Fix Python code formatting, linting and sorting imports
fix:
python3 -m ruff format .
python3 -m ruff check --fix .
# --------------------
# Fuzzy tests
# --------------------
# Run fuzzy tests
fuzzytest: install_dev
schemathesis run --checks all http://localhost:1337/openapi.json
# --------------------
# Tests
# --------------------
# Run quick tests
quicktest: install_dev
python3 -m coverage run --omit=./tests/* --m pytest --disable-warnings
python3 -m coverage report
# Run tests
test: install_dev check audit quicktest
# --------------------
# Dependencies
# --------------------
# Compile requirements
requirements:
uv pip compile --generate-hashes --no-header --quiet --resolver=backtracking --strip-extras --upgrade --output-file requirements/base.txt requirements/base.in
uv pip compile --generate-hashes --no-header --quiet --resolver=backtracking --strip-extras --upgrade --output-file requirements/common.txt requirements/common.in
uv pip compile --generate-hashes --no-header --quiet --resolver=backtracking --strip-extras --upgrade --output-file requirements/dev.txt requirements/dev.in
# Install base requirements and dependencies
install_base:
uv pip install -r requirements/base.txt
# Install common requirements and dependencies
install_common: requirements install_base
uv pip sync requirements/common.txt
# Install dev requirements and dependencies
install_dev: requirements install_base
uv pip sync requirements/dev.txt
# --------------------
# Tooling
# --------------------
# Check outdated requirements and dependencies
outdated:
python3 -m pip list --outdated
# Run pre_commit
precommit:
python3 -m pre_commit run --all
# Update pre_commit
precommit_update:
python3 -m pre_commit autoupdate
# Run update
update: requirements precommit_update
# Create virtual environment
venv:
uv venv --python 3.13 .venv --allow-existing
# --------------------
# Run
# --------------------
# Run production server
run: install_common
fastapi run app/main.py
# Run dev mode server
run_dev: install_dev
fastapi dev app/main.py --port 1337
# Run docker server with optional tag
run_docker tag=tag:
docker run --rm \
--env-file .env \
--publish 1337:1337 \
--name python_insecure_app \
{{image}}:{{tag}}
# --------------------
# Verify provenance
# --------------------
# Verify distroless base image provenance
verify_distroless_provenance:
./scripts/verify_distroless_provenance.sh
# --------------------
# Vulnerability assessment
# --------------------
# Variables for vulnerability assessment
trivy_version := "0.70.0"
isolated_trivy_network := "trivy-net"
# Update vulnerability assessment database
trivy_update:
docker run --rm \
--entrypoint="" \
--env TRIVY_CACHE_DIR=/tmp/.trivycache/ \
--env TRIVY_NO_PROGRESS=true \
--env TRIVY_DISABLE_TELEMETRY=true \
--volume $(pwd)/.trivy/cache:/tmp/.trivycache \
--volume $(pwd)/.trivy/cache/db:/tmp/.trivycache/db \
aquasec/trivy:{{trivy_version}} \
sh -c "trivy image --download-db-only && \
trivy config /dev/null"
# Run vulnerability assessment
vuln_assessment image=image tag=tag:
docker network create --internal {{isolated_trivy_network}} || true \
&& docker run --rm \
--network {{isolated_trivy_network}} \
--entrypoint="" \
--env GIT_STRATEGY=none \
--env TRIVY_CACHE_DIR=/tmp/.trivycache/ \
--env TRIVY_NO_PROGRESS=true \
--env TRIVY_DISABLE_TELEMETRY=true \
--volume /var/run/docker.sock:/var/run/docker.sock \
--volume $(pwd):/tmp/app \
--volume $(pwd)/.trivy:/tmp/.trivy \
--volume $(pwd)/.trivy/cache:/tmp/.trivycache \
--volume $(pwd)/.trivy/cache/db:/root/.cache/trivy/db \
--volume $(pwd)/scripts:/scripts \
aquasec/trivy:{{trivy_version}} \
/scripts/trivy_scan.sh {{image}} {{tag}}
# --------------------
# Penetration testing
# --------------------
## Run pentest
pentest:
docker run --rm --tty \
--network host \
--volume $(pwd)/.zap/reports:/zap/wrk/reports:rw \
ghcr.io/zaproxy/zaproxy:stable \
zap-api-scan.py \
-t http://localhost:1337/openapi.json \
-f openapi \
-r /zap/wrk/reports/{{timestamp}}.html \
-J /zap/wrk/reports/{{timestamp}}.json