[ContainerRegistry] <DO NOT MERGE> Add 'acrcssc' extension for public preview

src/acrcssc/HISTORY.rst

@@ -0,0 +1,16 @@
+.. :changelog:
+
+Release History
+===============
+
+1.1.1
+++++++
+* Release for Public Preview
+* Added `list`and `cancel-run` commands for workflows
+* `list` command provide output on the scan and patch status of the registry
+* `cancel-run` command allows to canceling all running scan and patch tasks
+
+
+1.1.0
+++++++
+* Initial release for Private Preview

src/acrcssc/README.rst

@@ -0,0 +1,103 @@
+Microsoft Azure CLI 'acrcssc' Extension
+==========================================
+
+Azure Container Registry - Container Secure Supply Chain (Continuous Patching)
+==========================================
+
+Overview
+========
+The `acrcssc` extension for Azure CLI provides continuous patching capabilities for Azure Container Registry (ACR). This extension helps automate the process of scanning and patching container images to ensure they are up-to-date with the latest security patches. Scans your configured list of images for vulnerabilities (CVEs) using Trivy and patch them using Copacetic.
+
+Preview Limitations
+===================
+Continuous Patching is currently in preview. The following limitations apply:
+
+- Windows-based container images aren’t supported
+- Only "OS-level" vulnerabilities will be patched. This includes packages in the image managed by a package manager such as “apt” and “yum”. Vulnerabilities at the “application level” are unable to be patched, such as compiled languages like Go, Python, NodeJS
+- Patching is only supported in Public regions, not in Sovereign regions
+
+Features
+========
+- **Continuous Patching Workflow**: Automates the process of scanning and patching container images.
+- **Task Management**: Create, update, delete, show, and cancel continuous patch tasks in the registry.
+- **Dry Run Mode**: Validate the configuration without making any changes.
+- **Immediate Run**: Trigger the patching workflow immediately.
+- **Run Status**: Monitor the status of the scanning and patching tasks.
+
+Commands
+========
+- `az acr supply-chain workflow create`: Create a continuous patch task in the registry.
+- `az acr supply-chain workflow update`: Update an existing continuous patch task.
+- `az acr supply-chain workflow delete`: Delete a continuous patch task.
+- `az acr supply-chain workflow list`: List all continuous patch tasks in the registry.
+- `az acr supply-chain workflow show`: Show details of a specific continuous patch task.
+- `az acr supply-chain workflow cancel-run`: Cancel all running scan and patch tasks.
+
+Usage
+=====
+1. **Create a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow create --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --schedule <schedule> --config <config-file>
+   ```
+
+1. **Update a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow update --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --schedule <schedule> --config <config-file>
+   ```
+
+1. **Update with dryrun to test configuration changes**:
+   ```sh
+   az acr supply-chain workflow update --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --config <config-file> --dryrun
+   ```
+
+1. **Delete a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow delete --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+1. **List Continuous Patch Tasks**:
+   ```sh
+   az acr supply-chain workflow list --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --run-status <status>
+   ```
+
+1. **Show a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow show --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+1. **Cancel all Scan and Patch Running Tasks**:
+   ```sh
+   az acr supply-chain workflow cancel-run --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+Configuration
+=============
+The configuration file for the continuous patch task should define the repositories to be scanned and patched, the schedule for the task, and any other relevant settings.
+
+Example Configuration:
+
+```JSON
+{
+  "repositories": [
+    {
+      "repository": "alpine",
+      "tags": ["tag1", "tag2"],
+      "enabled": true
+    },
+    {
+      "repository": "python",
+      "tags": ["*"],
+      "enabled": false
+    }
+  ],
+  "version": "v1",
+  "tag-convention": "floating"
+}
+```
+
+Tag Convention
+==============
+The `tag-convention` property in the configuration file determines how the tags for patched images are managed. It can have the following values:
+
+- **incremental**: This is the default behavior. It increases the patch version of the tag. For example, if the original tag is `1.0`, the patched tags will be `1.0-1`, `1.0-2`, etc.
+- **floating**: This reuses the tag postfix `patched` for patching. For example, if the original tag is `1.0`, the patched tag will be `1.0-patched`.

src/acrcssc/azext_acrcssc/__init__.py

@@ -0,0 +1,32 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core import AzCommandsLoader
+
+from azext_acrcssc._help import helps  # pylint: disable=unused-import
+
+
+class AcrcsscCommandsLoader(AzCommandsLoader):
+
+    def __init__(self, cli_ctx=None):
+        from azure.cli.core.commands import CliCommandType
+        from azext_acrcssc._client_factory import cf_acr
+        acrcssc_custom = CliCommandType(
+            operations_tmpl='azext_acrcssc.custom#{}',
+            client_factory=cf_acr)
+        super(AcrcsscCommandsLoader, self).__init__(cli_ctx=cli_ctx,
+                                                    custom_command_type=acrcssc_custom)
+
+    def load_command_table(self, args):
+        from azext_acrcssc.commands import load_command_table
+        load_command_table(self, args)
+        return self.command_table
+
+    def load_arguments(self, command):
+        from azext_acrcssc._params import load_arguments
+        load_arguments(self, command)
+
+
+COMMAND_LOADER_CLS = AcrcsscCommandsLoader

src/acrcssc/azext_acrcssc/_client_factory.py

@@ -0,0 +1,61 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+from azure.cli.core.commands.client_factory import get_mgmt_service_client
+from azure.cli.core.profiles import ResourceType
+from azure.mgmt.containerregistry import ContainerRegistryManagementClient
+from .helper._constants import (
+    ACR_API_VERSION_2023_01_01_PREVIEW,
+    ACR_API_VERSION_2019_06_01_PREVIEW
+)
+
+from azure.mgmt.authorization import AuthorizationManagementClient
+
+
+def cf_acr(cli_ctx, *_) -> ContainerRegistryManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2023_01_01_PREVIEW)
+
+
+def cf_acr_registries(cli_ctx, *_) -> ContainerRegistryManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2023_01_01_PREVIEW).registries
+
+
+def cf_acr_tasks(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).tasks
+
+
+def cf_acr_registries_tasks(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).registries
+
+
+def cf_acr_taskruns(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).task_runs
+
+
+def cf_acr_runs(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).runs
+
+
+def cf_resources(cli_ctx, subscription_id=None):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_RESOURCE_RESOURCES,
+                                   subscription_id=subscription_id)
+
+
+def cf_authorization(cli_ctx, subscription_id=None) -> AuthorizationManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_AUTHORIZATION,
+                                   subscription_id=subscription_id, api_version="2022-04-01")

src/acrcssc/azext_acrcssc/_help.py

@@ -0,0 +1,66 @@
+# coding=utf-8
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from knack.help_files import helps  # pylint: disable=unused-import
+
+helps['acr supply-chain'] = """
+    type: group
+    short-summary: Commands to manage acr supply chain resources.
+"""
+
+helps['acr supply-chain workflow'] = """
+    type: group
+    short-summary: Commands to manage acr supply chain workflows.
+"""
+
+helps['acr supply-chain workflow create'] = """
+    type: command
+    short-summary: Create acr supply chain workflow.
+    examples:
+        - name: Create acr supply chain workflow
+          text: az acr supply-chain workflow create -r $MyRegistry -g $MyResourceGroup \
+                --type continuouspatchv1 --schedule 1d --config path-to-config-file
+"""
+helps['acr supply-chain workflow update'] = """
+    type: command
+    short-summary: Update acr supply chain workflow.
+    examples:
+        - name: Updates acr supply chain workflow
+          text: az acr supply-chain workflow update -r $MyRegistry -g $MyResourceGroup --type \
+                continuouspatchv1 --schedule 1d --config path-to-config-file
+"""
+
+helps['acr supply-chain workflow show'] = """
+     type: command
+     short-summary: Show acr supply chain workflow tasks.
+     examples:
+        - name: Show all acr supply chain workflow
+          text: az acr supply-chain workflow show -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow delete'] = """
+    type: command
+    short-summary: Delete acr supply chain workflow.
+    examples:
+        - name: Delete acr supply chain workflow and associated configuration files
+          text: az acr supply-chain workflow delete -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow cancel-run'] = """
+    type: command
+    short-summary: Cancel currently running supply chain workflow.
+    examples:
+        - name: Cancel currently running acr supply chain workflow scans/patch
+          text: az acr supply-chain workflow cancel-run -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow list'] = """
+    type: command
+    short-summary: List status of acr supply chain workflow images.
+    examples:
+        - name: List all acr supply chain workflow images based on the status provided
+          text: az acr supply-chain workflow list -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1 --run-status Failed
+"""

src/acrcssc/azext_acrcssc/_params.py

@@ -0,0 +1,37 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+# pylint: disable=line-too-long
+from azure.cli.command_modules.acr._constants import REGISTRY_RESOURCE_TYPE
+from azure.cli.command_modules.acr._validators import validate_registry_name
+from azure.cli.core import AzCommandsLoader
+from azure.cli.core.commands.parameters import (get_resource_name_completion_list, get_three_state_flag, get_enum_type)
+
+
+def load_arguments(self: AzCommandsLoader, _):
+    from .helper._constants import CSSCTaskTypes
+    from .helper._workflow_status import WorkflowTaskState
+
+    with self.argument_context("acr supply-chain workflow") as c:
+        c.argument('resource_group', options_list=['--resource-group', '-g'], help='Name of resource group.You can configure the default group using `az configure --defaults group=<name>`', completer=get_resource_name_completion_list(REGISTRY_RESOURCE_TYPE), configured_default='acr', validator=validate_registry_name)
+        c.argument('registry_name', options_list=['--registry', '-r'], help='The name of the container registry. It should be specified in lower case. You can configure the default registry name using `az configure --defaults acr=<registry name>`', completer=get_resource_name_completion_list(REGISTRY_RESOURCE_TYPE), configured_default='acr', validator=validate_registry_name)
+        c.argument("workflow_type", arg_type=get_enum_type(CSSCTaskTypes), options_list=['--type', '-t'], help="Type of workflow task.", required=True)
+
+    with self.argument_context("acr supply-chain workflow create") as c:
+        c.argument("config", options_list=["--config"], help="Configuration file path containing the json schema for the list of repositories and tags to filter within the registry. Schema example:{\"repositories\":[{\"repository\":\"alpine\",\"tags\":[\"tag1\",\"tag2\"],\"enabled\":true},{\"repository\":\"python\",\"tags\":[\"*\"],\"enabled\":false}], \"version\": \"v1\", \"tag-convention\": \"floating\"}. \"tag-convention\" is an optional property, values can be \"incremental\" (the default behavior, will increase the patch version of the tag, for example \"{repository}:{original-tag}-1\", \"{repository}:{original-tag}-2\", etc), or \"floating\" (will reuse the tag \"{repository}:{original-tag}-patched\" for patching)", required=True)
+        c.argument("schedule", options_list=["--schedule"], help="schedule to run the scan and patching task. E.g. `<n>d` where <n> is the number of days between each run. Max value is 30d.", required=True)
+        c.argument("run_immediately", options_list=["--run-immediately"], help="Set this flag to trigger the immediate run of the selected workflow task. Default value: false.", arg_type=get_three_state_flag(), required=False)
+        c.argument("dryrun", options_list=["--dry-run"], help="Use this flag to see the qualifying repositories and tags that would be affected by the workflow. Default value: false. 'config' parameter is mandatory to provide with dry-run", arg_type=get_three_state_flag(), required=False)
+
+    with self.argument_context("acr supply-chain workflow update") as c:
+        c.argument("config", options_list=["--config"], help="Configuration file path containing the json schema for the list of repositories and tags to filter within the registry. Schema example:{\"repositories\":[{\"repository\":\"alpine\",\"tags\":[\"tag1\",\"tag2\"],\"enabled\":true},{\"repository\":\"python\",\"tags\":[\"*\"],\"enabled\":false}], \"version\": \"v1\", \"tag-convention\": \"floating\"}}. \"tag-convention\" is an optional property, values can be \"incremental\" (the default behavior, will increase the patch version of the tag, for example \"{repository}:{original-tag}-1\", \"{repository}:{original-tag}-2\", etc), or \"floating\" (will reuse the tag \"{repository}:{original-tag}-patched\" for patching)", required=False)
+        c.argument("schedule", options_list=["--schedule"], help="schedule to run the scan and patching task. E.g. `<n>d` where n is the number of days between each run. Max value is 30d.", required=False)
+        c.argument("run_immediately", options_list=["--run-immediately"], help="Set this flag to trigger the immediate run of the selected workflow task. Default value: false.", arg_type=get_three_state_flag(), required=False)
+        c.argument("dryrun", options_list=["--dry-run"], help="Use this flag to see the qualifying repositories and tags that would be affected by the workflow. Default value: false. 'config' parameter is mandatory to provide with dry-run", arg_type=get_three_state_flag(), required=False)
+
+    with self.argument_context("acr supply-chain workflow list") as c:
+        c.argument("status", arg_type=get_enum_type(WorkflowTaskState), options_list=["--run-status"], help="Status to filter the supply-chain workflow image status.", required=False)
+
+    with self.argument_context("acr supply-chain workflow delete") as c:
+        c.argument("yes", options_list=["--yes", "-y"], help="Proceed with the deletion without user confirmation", required=False)