Skip to content

Latest commit

 

History

History
68 lines (56 loc) · 2.48 KB

File metadata and controls

68 lines (56 loc) · 2.48 KB

Deployment

Images building + Jenkins

The deployment of images, updating of services and applications, and backup procedures are performed by multiple Jenkins workflows found here The images used in deployment are built automatically and pushed to Docker Hub. See:

Configuration

The configurations for each of the following are in their associated directories:

Security Scanning

Using Trivy to scan Python dependencies for known vulnerabilities.

Install (macOS)

brew install trivy
trivy --version

Scan the dependency lockfile

# Scan the devops poetry.lock (run from this directory)
trivy fs .

Remediating findings

Findings list a Fixed Version. Bump the affected packages and re-scan.

The cleanest way to update the lockfile is a throwaway container from our own image (it already has poetry and the matching Python version), mounting this devops/ directory as the working dir so edits write straight back to the host:

# from the geoapi/ repo root
docker run --rm -it -u root \
  -v "$PWD/devops:/devops" \
  -w /devops \
  taccwma/geoapi:local bash

Then inside the container:

poetry update

Poetry edits /devops/pyproject.toml and /devops/poetry.lock in place; the mount writes them back to the host.

Scanning image

Build the production images and then scan

make build
trivy image --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL taccwma/geoapi:latest
trivy image --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL taccwma/geoapi-workers:latest