From be9a4fe5c52640ac369cd3c76b8b7886315b0254 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:21:27 -0300 Subject: [PATCH 01/12] Update Dockerfile --- Dockerfile | 137 +++++++++++++++++++++++++++-------------------------- 1 file changed, 70 insertions(+), 67 deletions(-) diff --git a/Dockerfile b/Dockerfile index 19c6f8a..93ab24b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,67 +1,70 @@ -# ------------------------------------------------------------------------------ -# Stage 1: Builder -# This stage builds the application and its dependencies. -# ------------------------------------------------------------------------------ -FROM python:3.13.3-slim-bookworm AS builder -WORKDIR /app - -# Install system build tools for packages with native extensions -RUN apt-get update && \ - apt-get install -y --no-install-recommends build-essential gcc libffi-dev libssl-dev && \ - rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*.deb - -# Pre-build all dependencies into wheels for reproducibility and speed -COPY --chown=root:root --chmod=644 requirements.txt . -RUN pip wheel --no-cache-dir --wheel-dir=/app/wheelhouse -r requirements.txt - -# ------------------------------------------------------------------------------ -# Stage 2: Runtime -# This stage creates the final, minimal image to run the application. -# ------------------------------------------------------------------------------ -FROM python:3.13.3-slim-bookworm AS runtime -WORKDIR /app - -# Metadata labels -LABEL org.opencontainers.image.title="๐Ÿงช RESTful API with Python 3 and FastAPI" -LABEL org.opencontainers.image.description="Proof of Concept for a RESTful API made with Python 3 and FastAPI" -LABEL org.opencontainers.image.licenses="MIT" -LABEL org.opencontainers.image.source="https://github.com/nanotaboada/python-samples-fastapi-restful" - -# Copy prebuilt wheels and install dependencies -COPY --chown=root:root --chmod=644 requirements.txt . -COPY --from=builder --chown=root:root --chmod=755 /app/wheelhouse /app/wheelhouse -RUN pip install --no-cache-dir --no-index --find-links /app/wheelhouse -r requirements.txt && \ - rm -rf /app/wheelhouse - -# Copy application code (read-only) -COPY --chown=root:root --chmod=644 main.py ./ -COPY --chown=root:root --chmod=755 database ./database -COPY --chown=root:root --chmod=755 models ./models -COPY --chown=root:root --chmod=755 routes ./routes -COPY --chown=root:root --chmod=755 schemas ./schemas -COPY --chown=root:root --chmod=755 services ./services - -# Copy metadata for GHCR (read-only) -COPY --chown=root:root --chmod=644 README.md ./ -COPY --chown=root:root --chmod=755 assets ./assets - -# Copy entrypoint sctipt and SQLite database -COPY --chown=root:root --chmod=755 scripts/entrypoint.sh ./entrypoint.sh -COPY --chown=root:root --chmod=755 sqlite3-db ./docker-compose - -# Create non-root user and make volume mount point writable -RUN groupadd --system fastapi && \ - adduser --system --ingroup fastapi --disabled-password --gecos '' fastapi && \ - mkdir -p /sqlite3-db && \ - chown fastapi:fastapi /sqlite3-db - -# Drop privileges -USER fastapi - -# Logging output immediately -ENV PYTHONUNBUFFERED=1 - -EXPOSE 9000 - -ENTRYPOINT ["./entrypoint.sh"] -CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "9000"] +# ------------------------------------------------------------------------------ +# Stage 1: Builder +# ------------------------------------------------------------------------------ + FROM python:3.13.3-slim-bookworm AS builder + WORKDIR /app + + # Install build dependencies + RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + build-essential \ + gcc \ + libffi-dev \ + libssl-dev && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + + # Copy and pre-build Python dependencies + COPY requirements.txt . + RUN pip install --upgrade pip && \ + pip wheel --no-cache-dir --wheel-dir=/app/wheelhouse -r requirements.txt + + # ------------------------------------------------------------------------------ + # Stage 2: Runtime + # ------------------------------------------------------------------------------ + FROM python:3.13.3-slim-bookworm AS runtime + WORKDIR /app + + # Metadata + LABEL org.opencontainers.image.title="๐Ÿงช RESTful API with Python 3 and FastAPI" + LABEL org.opencontainers.image.description="Proof of Concept for a RESTful API made with Python 3 and FastAPI" + LABEL org.opencontainers.image.licenses="MIT" + LABEL org.opencontainers.image.source="https://github.com/nanotaboada/python-samples-fastapi-restful" + + # Install runtime dependencies + COPY requirements.txt . + COPY --from=builder /app/wheelhouse /app/wheelhouse + RUN pip install --no-cache-dir --no-index --find-links=/app/wheelhouse -r requirements.txt && \ + rm -rf /app/wheelhouse + + # Copy app code + COPY main.py . + COPY database/ ./database/ + COPY models/ ./models/ + COPY routes/ ./routes/ + COPY schemas/ ./schemas/ + COPY services/ ./services/ + COPY README.md . + COPY assets/ ./assets/ + + # Copy startup script and SQLite DB seed + COPY scripts/entrypoint.sh ./entrypoint.sh + RUN chmod +x ./entrypoint.sh + COPY sqlite3-db ./docker-compose + + # Create non-root user and make volume writable + RUN groupadd --system fastapi && \ + useradd --system --gid fastapi --create-home fastapi && \ + mkdir -p /sqlite3-db && \ + chown -R fastapi:fastapi /app /sqlite3-db + + # Configure environment + ENV PYTHONUNBUFFERED=1 + EXPOSE 9000 + + ENTRYPOINT ["./entrypoint.sh"] + CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "9000"] + + # ๐Ÿ‘‡ Importante: solo al final + USER fastapi + From 41aa2af656a0c82f86c1673efdf32a58b29932ab Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:21:55 -0300 Subject: [PATCH 02/12] Update entrypoint.sh --- scripts/entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 642f010..ea8d4d2 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -1,5 +1,7 @@ #!/bin/bash set -e +echo "โœ” Fixing permissions..." +chown -R fastapi:fastapi /sqlite3-db IMAGE_DATABASE_FILE_PATH="/app/docker-compose/players-sqlite3.db" VOLUME_DATABASE_FILE_PATH="/sqlite3-db/players-sqlite3.db" From 7e1da47804d542bc5fd3c875ca9c6bdaa73878dc Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:22:41 -0300 Subject: [PATCH 03/12] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 93ab24b..10fd3b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,6 +65,6 @@ ENTRYPOINT ["./entrypoint.sh"] CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "9000"] - # ๐Ÿ‘‡ Importante: solo al final + # ๐Ÿ‘‡Run with not root user USER fastapi From 09d9dfd1241cffe338825174b5dace0666103622 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:24:10 -0300 Subject: [PATCH 04/12] Create docker-security.yml --- .github/workflows/docker-security.yml | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/docker-security.yml diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml new file mode 100644 index 0000000..16929dd --- /dev/null +++ b/.github/workflows/docker-security.yml @@ -0,0 +1,30 @@ +name: Validate Docker Image with Trivy (docker-compose) + +on: + pull_request: + branches: [main] + push: + branches: [main] + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: ๐Ÿงพ Checkout repo + uses: actions/checkout@v3 + + - name: ๐Ÿณ Set up Docker Compose + run: sudo apt-get update && sudo apt-get install -y docker-compose + + - name: ๐Ÿ› ๏ธ Build image with docker compose + run: docker compose build + + - name: ๐Ÿ” Scan local image with Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: python-samples-fastapi-restful:latest # tu nombre de imagen real + format: table + exit-code: 1 + ignore-unfixed: true + severity: CRITICAL,HIGH From 83ff899c317ea402338ccdf248f86fd001824cee Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:25:24 -0300 Subject: [PATCH 05/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 16929dd..7bec671 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -2,9 +2,9 @@ name: Validate Docker Image with Trivy (docker-compose) on: pull_request: - branches: [main] + branches: [master] push: - branches: [main] + branches: [master] jobs: build-and-scan: From 6b0b9dacfc6c7d18ce9a981429098a48dec39bc0 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:37:55 -0300 Subject: [PATCH 06/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 7bec671..8e7cd85 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -1,4 +1,4 @@ -name: Validate Docker Image with Trivy (docker-compose) +name: ๐Ÿ” Validate Docker Image with Trivy (docker-compose) on: pull_request: @@ -17,14 +17,18 @@ jobs: - name: ๐Ÿณ Set up Docker Compose run: sudo apt-get update && sudo apt-get install -y docker-compose - - name: ๐Ÿ› ๏ธ Build image with docker compose - run: docker compose build + - name: ๐Ÿ› ๏ธ Build image without cache + run: docker compose build --no-cache - - name: ๐Ÿ” Scan local image with Trivy - uses: aquasecurity/trivy-action@master - with: - image-ref: python-samples-fastapi-restful:latest # tu nombre de imagen real - format: table - exit-code: 1 - ignore-unfixed: true - severity: CRITICAL,HIGH + - name: ๐Ÿณ List Docker images (debug) + run: docker images + + - name: ๐Ÿ” Run Trivy via Docker (scan local image) + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v $HOME/.cache:/root/.cache/ \ + aquasec/trivy:latest \ + image --format table --exit-code 1 --ignore-unfixed \ + --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \ + python-samples-fastapi-restful:latest From 840a27570fdd06a8551c423bc4b6d7da0d9542d3 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:46:36 -0300 Subject: [PATCH 07/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 55 ++++++++++++++------------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 8e7cd85..396d0f0 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -1,34 +1,37 @@ -name: ๐Ÿ” Validate Docker Image with Trivy (docker-compose) +name: Trivy Image Scan on: - pull_request: - branches: [master] push: - branches: [master] + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: jobs: - build-and-scan: + scan: + name: Scan Docker Image with Trivy runs-on: ubuntu-latest steps: - - name: ๐Ÿงพ Checkout repo - uses: actions/checkout@v3 - - - name: ๐Ÿณ Set up Docker Compose - run: sudo apt-get update && sudo apt-get install -y docker-compose - - - name: ๐Ÿ› ๏ธ Build image without cache - run: docker compose build --no-cache - - - name: ๐Ÿณ List Docker images (debug) - run: docker images - - - name: ๐Ÿ” Run Trivy via Docker (scan local image) - run: | - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v $HOME/.cache:/root/.cache/ \ - aquasec/trivy:latest \ - image --format table --exit-code 1 --ignore-unfixed \ - --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \ - python-samples-fastapi-restful:latest + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build image + run: docker build -t python-samples-fastapi-restful . + + - name: Install Trivy + uses: aquasecurity/trivy-action@v0.16.1 + with: + version: latest + + - name: Run Trivy scan (como en Windows) + run: trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful + + - name: Upload Trivy report + uses: actions/upload-artifact@v4 + with: + name: trivy-scan-report + path: trivy-report.txt From 117b6f16eb44b5706285851c2bdbf416a03014e4 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:47:00 -0300 Subject: [PATCH 08/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 396d0f0..63e13bb 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -2,9 +2,9 @@ name: Trivy Image Scan on: push: - branches: [main] + branches: [master] pull_request: - branches: [main] + branches: [master] workflow_dispatch: jobs: From dedaf50793ffa270662dbe14de9f01317406aa80 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:48:03 -0300 Subject: [PATCH 09/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 63e13bb..371aaaa 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -22,13 +22,13 @@ jobs: - name: Build image run: docker build -t python-samples-fastapi-restful . - - name: Install Trivy - uses: aquasecurity/trivy-action@v0.16.1 - with: - version: latest + - name: Install Trivy manually + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - name: Run Trivy scan (como en Windows) - run: trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful + run: | + ./trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful - name: Upload Trivy report uses: actions/upload-artifact@v4 From 9de00b7e471a986a4f8783ce15366446c7fa63c2 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:49:42 -0300 Subject: [PATCH 10/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index 371aaaa..bc1429d 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -26,9 +26,9 @@ jobs: run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - - name: Run Trivy scan (como en Windows) + - name: Run Trivy scan run: | - ./trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful + trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful - name: Upload Trivy report uses: actions/upload-artifact@v4 From a0e8252d41a37d2292fb50e75a8e17c0b0f5c4dc Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:53:09 -0300 Subject: [PATCH 11/12] Update docker-security.yml --- .github/workflows/docker-security.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index bc1429d..a5fd586 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -30,6 +30,9 @@ jobs: run: | trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful + - name: Show Trivy report in logs + run: cat trivy-report.txt + - name: Upload Trivy report uses: actions/upload-artifact@v4 with: From 2b0c35a58d1f25d6f4f0ed0923e126f61bcf5248 Mon Sep 17 00:00:00 2001 From: morettimaxi <31962131+morettimaxi@users.noreply.github.com> Date: Fri, 16 May 2025 12:56:46 -0300 Subject: [PATCH 12/12] --- .github/workflows/docker-security.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/docker-security.yml b/.github/workflows/docker-security.yml index a5fd586..729cca3 100644 --- a/.github/workflows/docker-security.yml +++ b/.github/workflows/docker-security.yml @@ -1,15 +1,14 @@ -name: Trivy Image Scan +name: Docker Security Scan on: push: branches: [master] pull_request: branches: [master] - workflow_dispatch: jobs: scan: - name: Scan Docker Image with Trivy + name: Scan Docker Image with Anchore runs-on: ubuntu-latest steps: @@ -22,19 +21,8 @@ jobs: - name: Build image run: docker build -t python-samples-fastapi-restful . - - name: Install Trivy manually - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - - - name: Run Trivy scan - run: | - trivy image --no-progress --format table -o trivy-report.txt python-samples-fastapi-restful - - - name: Show Trivy report in logs - run: cat trivy-report.txt - - - name: Upload Trivy report - uses: actions/upload-artifact@v4 + - name: Run Anchore scan + uses: anchore/scan-action@v2 with: - name: trivy-scan-report - path: trivy-report.txt + image-reference: python-samples-fastapi-restful + fail-build: true