Azure · zhoxing-ms · Apr 27, 2025 · Jun 5, 2024 · Jun 5, 2024 · Jun 6, 2024
diff --git a/src/acrcssc/HISTORY.rst b/src/acrcssc/HISTORY.rst
@@ -0,0 +1,16 @@
+.. :changelog:
+
+Release History
+===============
+
+1.0.0b1
+++++++
+* Release for Public Preview
+* Added `list`and `cancel-run` commands for workflows
+* `list` command provide output on the scan and patch status of the registry
+* `cancel-run` command allows to canceling all running scan and patch tasks
+
+
+0.1.0b1
+++++++
+* Initial release for Private Preview
diff --git a/src/acrcssc/README.rst b/src/acrcssc/README.rst
@@ -0,0 +1,104 @@
+Microsoft Azure CLI 'acrcssc' Extension
+==========================================
+
+Azure Container Registry - Container Secure Supply Chain (Continuous Patching)
+==========================================
+
+Overview
+========
+The `acrcssc` extension for Azure CLI provides continuous patching capabilities for Azure Container Registry (ACR). This extension helps automate the process of scanning and patching container images to ensure they are up-to-date with the latest security patches. Scans your configured list of images for vulnerabilities (CVEs) using Trivy and patch them using Copacetic.
+
+Preview Limitations
+===================
+Continuous Patching is currently in preview. The following limitations apply:
+
+- Windows-based container images aren’t supported
+- Only "OS-level" vulnerabilities will be patched. This includes packages in the image managed by a package manager such as “apt” and “yum”. Vulnerabilities at the “application level” are unable to be patched, such as compiled languages like Go, Python, NodeJS
+- Patching is only supported in Public regions, not in Sovereign regions
+- CSSC patching is not supported for registries or in regions where Tasks are unavailable.
+
+Features
+========
+- **Continuous Patching Workflow**: Automates the process of scanning and patching container images.
+- **Task Management**: Create, update, delete, show, and cancel continuous patch tasks in the registry.
+- **Dry Run Mode**: Validate the configuration without making any changes.
+- **Immediate Run**: Trigger the patching workflow immediately.
+- **Run Status**: Monitor the status of the scanning and patching tasks.
+
+Commands
+========
+- `az acr supply-chain workflow create`: Create a continuous patch task in the registry.
+- `az acr supply-chain workflow update`: Update an existing continuous patch task.
+- `az acr supply-chain workflow delete`: Delete a continuous patch task.
+- `az acr supply-chain workflow list`: List all continuous patch tasks in the registry.
+- `az acr supply-chain workflow show`: Show details of a specific continuous patch task.
+- `az acr supply-chain workflow cancel-run`: Cancel all running scan and patch tasks.
+
+Usage
+=====
+1. **Create a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow create --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --schedule <schedule> --config <config-file>
+   ```
+
+1. **Update a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow update --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --schedule <schedule> --config <config-file>
+   ```
+
+1. **Update with dryrun to test configuration changes**:
+   ```sh
+   az acr supply-chain workflow update --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --config <config-file> --dryrun
+   ```
+
+1. **Delete a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow delete --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+1. **List Continuous Patch Tasks**:
+   ```sh
+   az acr supply-chain workflow list --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1 --run-status <status>
+   ```
+
+1. **Show a Continuous Patch Task**:
+   ```sh
+   az acr supply-chain workflow show --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+1. **Cancel all Scan and Patch Running Tasks**:
+   ```sh
+   az acr supply-chain workflow cancel-run --resource-group <resource-group> --registry <registry-name> --type continuouspatchv1
+   ```
+
+Configuration
+=============
+The configuration file for the continuous patch task should define the repositories to be scanned and patched, the schedule for the task, and any other relevant settings.
+
+Example Configuration:
+
+```JSON
+{
+  "repositories": [
+    {
+      "repository": "alpine",
+      "tags": ["tag1", "tag2"],
+      "enabled": true
+    },
+    {
+      "repository": "python",
+      "tags": ["*"],
+      "enabled": false
+    }
+  ],
+  "version": "v1",
+  "tag-convention": "floating"
+}
+```
+
+Tag Convention
+==============
+The `tag-convention` property in the configuration file determines how the tags for patched images are managed. It can have the following values:
+
+- **incremental**: This is the default behavior. It increases the patch version of the tag. For example, if the original tag is `1.0`, the patched tags will be `1.0-1`, `1.0-2`, etc.
+- **floating**: This reuses the tag postfix `patched` for patching. For example, if the original tag is `1.0`, the patched tag will be `1.0-patched`.
diff --git a/src/acrcssc/azext_acrcssc/__init__.py b/src/acrcssc/azext_acrcssc/__init__.py
@@ -0,0 +1,32 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core import AzCommandsLoader
+
+from azext_acrcssc._help import helps  # pylint: disable=unused-import
+
+
+class AcrcsscCommandsLoader(AzCommandsLoader):
+
+    def __init__(self, cli_ctx=None):
+        from azure.cli.core.commands import CliCommandType
+        from azext_acrcssc._client_factory import cf_acr
+        acrcssc_custom = CliCommandType(
+            operations_tmpl='azext_acrcssc.custom#{}',
+            client_factory=cf_acr)
+        super(AcrcsscCommandsLoader, self).__init__(cli_ctx=cli_ctx,
+                                                    custom_command_type=acrcssc_custom)
+
+    def load_command_table(self, args):
+        from azext_acrcssc.commands import load_command_table
+        load_command_table(self, args)
+        return self.command_table
+
+    def load_arguments(self, command):
+        from azext_acrcssc._params import load_arguments
+        load_arguments(self, command)
+
+
+COMMAND_LOADER_CLS = AcrcsscCommandsLoader
diff --git a/src/acrcssc/azext_acrcssc/_client_factory.py b/src/acrcssc/azext_acrcssc/_client_factory.py
@@ -0,0 +1,61 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+from azure.cli.core.commands.client_factory import get_mgmt_service_client
+from azure.cli.core.profiles import ResourceType
+from azure.mgmt.containerregistry import ContainerRegistryManagementClient
+from .helper._constants import (
+    ACR_API_VERSION_2023_01_01_PREVIEW,
+    ACR_API_VERSION_2019_06_01_PREVIEW
+)
+
+from azure.mgmt.authorization import AuthorizationManagementClient
+
+
+def cf_acr(cli_ctx, *_) -> ContainerRegistryManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2023_01_01_PREVIEW)
+
+
+def cf_acr_registries(cli_ctx, *_) -> ContainerRegistryManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2023_01_01_PREVIEW).registries
+
+
+def cf_acr_tasks(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).tasks
+
+
+def cf_acr_registries_tasks(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).registries
+
+
+def cf_acr_taskruns(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).task_runs
+
+
+def cf_acr_runs(cli_ctx, *_):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_CONTAINERREGISTRY,
+                                   api_version=ACR_API_VERSION_2019_06_01_PREVIEW).runs
+
+
+def cf_resources(cli_ctx, subscription_id=None):
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_RESOURCE_RESOURCES,
+                                   subscription_id=subscription_id)
+
+
+def cf_authorization(cli_ctx, subscription_id=None) -> AuthorizationManagementClient:
+    return get_mgmt_service_client(cli_ctx,
+                                   ResourceType.MGMT_AUTHORIZATION,
+                                   subscription_id=subscription_id, api_version="2022-04-01")
diff --git a/src/acrcssc/azext_acrcssc/_help.py b/src/acrcssc/azext_acrcssc/_help.py
@@ -0,0 +1,66 @@
+# coding=utf-8
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from knack.help_files import helps  # pylint: disable=unused-import
+
+helps['acr supply-chain'] = """
+    type: group
+    short-summary: Commands to manage acr supply chain resources.
+"""
+
+helps['acr supply-chain workflow'] = """
+    type: group
+    short-summary: Commands to manage acr supply chain workflows.
+"""
+
+helps['acr supply-chain workflow create'] = """
+    type: command
+    short-summary: Create acr supply chain workflow.
+    examples:
+        - name: Create acr supply chain workflow
+          text: az acr supply-chain workflow create -r $MyRegistry -g $MyResourceGroup \
+                --type continuouspatchv1 --schedule 1d --config path-to-config-file
+"""
+helps['acr supply-chain workflow update'] = """
+    type: command
+    short-summary: Update acr supply chain workflow.
+    examples:
+        - name: Update acr supply chain workflow
+          text: az acr supply-chain workflow update -r $MyRegistry -g $MyResourceGroup --type \
+                continuouspatchv1 --schedule 1d --config path-to-config-file
+"""
+
+helps['acr supply-chain workflow show'] = """
+     type: command
+     short-summary: Show acr supply chain workflow tasks.
+     examples:
+        - name: Show all acr supply chain workflow
+          text: az acr supply-chain workflow show -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow delete'] = """
+    type: command
+    short-summary: Delete acr supply chain workflow.
+    examples:
+        - name: Delete acr supply chain workflow and associated configuration files
+          text: az acr supply-chain workflow delete -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow cancel-run'] = """
+    type: command
+    short-summary: Cancel currently running supply chain workflow.
+    examples:
+        - name: Cancel currently running acr supply chain workflow scans/patch
+          text: az acr supply-chain workflow cancel-run -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1
+"""
+
+helps['acr supply-chain workflow list'] = """
+    type: command
+    short-summary: List status of acr supply chain workflow images.
+    examples:
+        - name: List all acr supply chain workflow images based on the status provided
+          text: az acr supply-chain workflow list -r $MyRegistry -g $MyResourceGroup --type continuouspatchv1 --run-status Failed
+"""
diff --git a/src/acrcssc/azext_acrcssc/_params.py b/src/acrcssc/azext_acrcssc/_params.py
@@ -0,0 +1,42 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+# pylint: disable=line-too-long
+from azure.cli.command_modules.acr._constants import REGISTRY_RESOURCE_TYPE
+from azure.cli.command_modules.acr._validators import validate_registry_name
+from azure.cli.core import AzCommandsLoader
+from azure.cli.core.commands.parameters import (
+    get_resource_name_completion_list,
+    get_three_state_flag, get_enum_type,
+    resource_group_name_type
+)
+from .helper._constants import CONTINUOUSPATCH_SCHEDULE_MAX_DAYS
+
+
+def load_arguments(self: AzCommandsLoader, _):
+    from .helper._constants import CSSCTaskTypes
+    from .helper._workflow_status import WorkflowTaskState
+
+    with self.argument_context("acr supply-chain workflow") as c:
+        c.argument('resource_group', arg_type=resource_group_name_type, completer=get_resource_name_completion_list(REGISTRY_RESOURCE_TYPE))
+        c.argument('registry_name', options_list=['--registry', '-r'], help='The name of the container registry. It should be specified in lower case. You can configure the default registry name using `az configure --defaults acr=<registry name>`', completer=get_resource_name_completion_list(REGISTRY_RESOURCE_TYPE), configured_default='acr', validator=validate_registry_name)
+        c.argument("workflow_type", arg_type=get_enum_type(CSSCTaskTypes), options_list=['--type', '-t'], help="Type of workflow task.", required=True)
+
+    with self.argument_context("acr supply-chain workflow create") as c:
+        c.argument("config", help="Configuration file path containing the json schema for the list of repositories and tags to filter within the registry. Schema example:{\"repositories\":[{\"repository\":\"alpine\",\"tags\":[\"tag1\",\"tag2\"],\"enabled\":true},{\"repository\":\"python\",\"tags\":[\"*\"],\"enabled\":false}], \"version\": \"v1\", \"tag-convention\": \"floating\"}. \"tag-convention\" is an optional property, values can be \"incremental\" (the default behavior, will increase the patch version of the tag, for example \"{repository}:{original-tag}-1\", \"{repository}:{original-tag}-2\", etc), or \"floating\" (will reuse the tag \"{repository}:{original-tag}-patched\" for patching)", required=True)
+        c.argument("schedule", help=f"schedule to run the scan and patching task. E.g. `<n>d` where <n> is the number of days between each run. Max value is {CONTINUOUSPATCH_SCHEDULE_MAX_DAYS}d.", required=True)
+        c.argument("run_immediately", help="Set this flag to trigger the immediate run of the selected workflow task. Default value: false.", arg_type=get_three_state_flag())
+        c.argument("dryrun", options_list=["--dry-run"], help="Use this flag to see the qualifying repositories and tags that would be affected by the workflow. Default value: false. 'config' parameter is mandatory to provide with dry-run", arg_type=get_three_state_flag())
+
+    with self.argument_context("acr supply-chain workflow update") as c:
+        c.argument("config", help="Configuration file path containing the json schema for the list of repositories and tags to filter within the registry. Schema example:{\"repositories\":[{\"repository\":\"alpine\",\"tags\":[\"tag1\",\"tag2\"],\"enabled\":true},{\"repository\":\"python\",\"tags\":[\"*\"],\"enabled\":false}], \"version\": \"v1\", \"tag-convention\": \"floating\"}. \"tag-convention\" is an optional property, values can be \"incremental\" (the default behavior, will increase the patch version of the tag, for example \"{repository}:{original-tag}-1\", \"{repository}:{original-tag}-2\", etc), or \"floating\" (will reuse the tag \"{repository}:{original-tag}-patched\" for patching)")
+        c.argument("schedule", help=f"schedule to run the scan and patching task. E.g. `<n>d` where n is the number of days between each run. Max value is {CONTINUOUSPATCH_SCHEDULE_MAX_DAYS}d.")
+        c.argument("run_immediately", help="Set this flag to trigger the immediate run of the selected workflow task. Default value: false.", arg_type=get_three_state_flag())
+        c.argument("dryrun", options_list=["--dry-run"], help="Use this flag to see the qualifying repositories and tags that would be affected by the workflow. Default value: false. 'config' parameter is mandatory to provide with dry-run", arg_type=get_three_state_flag())
+
+    with self.argument_context("acr supply-chain workflow list") as c:
+        c.argument("status", arg_type=get_enum_type(WorkflowTaskState), options_list=["--run-status"], help="Status to filter the supply-chain workflow image status.")
+
+    with self.argument_context("acr supply-chain workflow delete") as c:
+        c.argument("yes", options_list=["--yes", "-y"], help="Proceed with the deletion without user confirmation")