Merge pull request #798 from atlanhq/chore/snyk-deps-requirements

chore(ci): add Harbor publish + Snyk deps support

Author: Aryamanz29

.github/workflows/pyatlan-chainguard.yaml

@@ -57,6 +57,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Atlan Harbor Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.atlan.com
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
+
       - name: Log in to Chainguard Container Registry
         uses: docker/login-action@v3
         with:
@@ -84,7 +91,7 @@ jobs:
             else
               PYTHON_VERSION="${{ github.event.inputs.python_version }}"
             fi
-            
+
             # Set Pyatlan version (reads from pyatlan/version.txt by default)
             # This matches the version in the repository
             if [ -z "${{ github.event.inputs.pyatlan_version }}" ]; then
@@ -94,7 +101,7 @@ jobs:
               PYATLAN_VERSION="${{ github.event.inputs.pyatlan_version }}"
               echo "Using specified pyatlan version: $PYATLAN_VERSION"
             fi
-            
+
             # Handle branch input (if provided, will be used as commit SHA or branch name)
             if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
               echo "Note: Building from branch/commit: ${{ github.event.inputs.pyatlan_branch }}"
@@ -105,27 +112,27 @@ jobs:
           echo "BUILD_TYPE=$BUILD_TYPE" >> $GITHUB_ENV
           echo "PYTHON_VERSION=$PYTHON_VERSION" >> $GITHUB_ENV
           echo "PYATLAN_VERSION=$PYATLAN_VERSION" >> $GITHUB_ENV
-          
+
           # Set platforms based on build type
           if [ "$BUILD_TYPE" = "dev" ]; then
             PLATFORMS="linux/amd64"
           else
             PLATFORMS="linux/amd64,linux/arm64"
           fi
           echo "PLATFORMS=$PLATFORMS" >> $GITHUB_ENV
-          
+
           # Generate commit hash for dev builds (for image tagging only)
           COMMIT_HASH=$(git rev-parse --short HEAD)
           echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
-          
+
           # Set PYATLAN_COMMIT_SHA only if pyatlan_branch input is provided
           # Otherwise, leave empty to let Dockerfile use version tag
           if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
             echo "PYATLAN_COMMIT_SHA=${{ github.event.inputs.pyatlan_branch }}" >> $GITHUB_ENV
           else
             echo "PYATLAN_COMMIT_SHA=" >> $GITHUB_ENV
           fi
-          
+
           echo "Build parameters:"
           echo "  - Trigger: ${{ github.event_name }}"
           echo "  - Build Type: $BUILD_TYPE"
@@ -150,12 +157,17 @@ jobs:
           if [ "$BUILD_TYPE" = "dev" ]; then
             # Dev: 8.0.0-3.11-commithash
             IMAGE_TAG="${PYATLAN_VERSION}-${PYTHON_VERSION}-${COMMIT_HASH}"
+            HARBOR_TAGS="registry.atlan.com/public/pyatlan:${IMAGE_TAG}\nregistry.atlan.com/public/pyatlan:sha-${COMMIT_HASH}"
           else
             # Release: 8.0.0-3.11
             IMAGE_TAG="${PYATLAN_VERSION}-${PYTHON_VERSION}"
+            HARBOR_TAGS="registry.atlan.com/public/pyatlan:${IMAGE_TAG}\nregistry.atlan.com/public/pyatlan:main-latest\nregistry.atlan.com/public/pyatlan:main-${PYATLAN_VERSION}\nregistry.atlan.com/public/pyatlan:sha-${COMMIT_HASH}"
           fi
 
           echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+          echo "HARBOR_TAGS<<EOF" >> $GITHUB_ENV
+          echo -e "$HARBOR_TAGS" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
 
           echo "Generated image tag: ghcr.io/atlanhq/pyatlan-chainguard-base:$IMAGE_TAG"
 
@@ -168,6 +180,7 @@ jobs:
           push: true
           tags: |
             ghcr.io/atlanhq/pyatlan-chainguard-base:${{ env.IMAGE_TAG }}
+            ${{ env.HARBOR_TAGS }}
           build-args: |
             PYTHON_VERSION=${{ env.PYTHON_VERSION }}
             PYATLAN_VERSION=${{ env.PYATLAN_VERSION }}

.github/workflows/trivy.yml

@@ -0,0 +1,191 @@
+name: Trivy Image and Dependency Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+  security-events: write
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Chainguard Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: cgr.dev
+          username: ${{ secrets.CHAINGUARD_USERNAME }}
+          password: ${{ secrets.CHAINGUARD_PASSWORD }}
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          load: true
+          tags: pyatlan-trivy:latest
+
+      - name: Trivy image scan (table)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: pyatlan-trivy:latest
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'table'
+          output: 'trivy-image.txt'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
+      - name: Show Trivy image table
+        if: always()
+        shell: bash
+        run: |
+          echo "Trivy image scan (table)";
+          if [ -f trivy-image.txt ]; then
+            cat trivy-image.txt;
+          else
+            echo "No trivy-image.txt output found.";
+          fi
+
+      - name: Trivy image scan (SARIF)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: pyatlan-trivy:latest
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-image.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
+      - name: Trivy dependency scan (uv.lock, table)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: fs
+          scan-ref: uv.lock
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'table'
+          output: 'trivy-deps.txt'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+
+      - name: Show Trivy dependency table
+        if: always()
+        shell: bash
+        run: |
+          echo "Trivy dependency scan (table)";
+          if [ -f trivy-deps.txt ]; then
+            cat trivy-deps.txt;
+          else
+            echo "No trivy-deps.txt output found.";
+          fi
+
+      - name: Trivy dependency scan (uv.lock, SARIF)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: fs
+          scan-ref: uv.lock
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-deps.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+
+      - name: Upload Trivy image results
+        if: github.event.repository.security_and_analysis.advanced_security.status == 'enabled'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-image.sarif'
+          category: 'trivy-image'
+
+      - name: Upload Trivy dependency results
+        if: github.event.repository.security_and_analysis.advanced_security.status == 'enabled'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-deps.sarif'
+          category: 'trivy-deps'
+
+      - name: Publish Trivy summary
+        if: always()
+        shell: bash
+        run: |
+          {
+            echo "## Trivy Image Scan (pyatlan-trivy:latest)";
+            echo "";
+            if [ -f trivy-image.txt ]; then
+              echo '```';
+              cat trivy-image.txt;
+              echo '```';
+            else
+              echo "No image scan output found.";
+            fi
+            echo "";
+            echo "## Trivy Dependency Scan (uv.lock)";
+            echo "";
+            if [ -f trivy-deps.txt ]; then
+              echo '```';
+              cat trivy-deps.txt;
+              echo '```';
+            else
+              echo "No dependency scan output found.";
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Fail on High/Critical vulnerabilities (image)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: pyatlan-trivy:latest
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
+      - name: Fail on High/Critical vulnerabilities (uv.lock)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: fs
+          scan-ref: uv.lock
+          scanners: 'vuln'
+          version: 'v0.69.0'
+          ignore-unfixed: true
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2

.pre-commit-config.yaml

@@ -25,3 +25,9 @@ repos:
         types: [python]
         pass_filenames: false
         stages: [manual]
+      - id: sync-requirements
+        name: sync-requirements
+        entry: bash -c "uv export --all-extras --no-hashes > requirements.txt"
+        language: system
+        pass_filenames: false
+        files: ^uv.lock$

README.md

@@ -10,7 +10,7 @@
 [![Downloads](https://img.shields.io/pypi/dm/pyatlan.svg)](https://pypi.org/project/pyatlan/)
 [![Build Status](https://github.com/atlanhq/atlan-python/actions/workflows/pyatlan-publish.yaml/badge.svg)](https://github.com/atlanhq/atlan-python/actions/workflows/pyatlan-publish.yaml)
 [![Documentation](https://img.shields.io/badge/docs-developer.atlan.com-blue.svg)](https://developer.atlan.com/getting-started/python-sdk/)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fatlanhq%2Fatlan--python-blue.svg)](https://github.com/atlanhq/atlan-python/pkgs/container/atlan-python)
+[![Docker](https://img.shields.io/badge/docker-harbor-blue.svg)](https://registry.atlan.com/)
 
 ---
 
@@ -84,32 +84,44 @@ uv sync --all-groups
 
 ## 🐳 Docker
 
-### Pre-built Images
-
+### Pre-built Images (Harbor)
 
 ```bash
-# Latest version
-docker pull ghcr.io/atlanhq/atlan-python:latest
+# Latest main image
+docker pull registry.atlan.com/public/pyatlan:main-latest
 
-# Specific version
-docker pull ghcr.io/atlanhq/atlan-python:7.1.3
+# Version + Python tag
+docker pull registry.atlan.com/public/pyatlan:8.5.1-3.11
+
+# Commit-specific image
+docker pull registry.atlan.com/public/pyatlan:sha-1a064032
 ```
 
 ### Usage
 
 ```bash
 # Interactive Python session
-docker run -it --rm ghcr.io/atlanhq/atlan-python:latest
+docker run -it --rm registry.atlan.com/public/pyatlan:main-latest
 
 # Run a script
 docker run -it --rm \
   -v $(pwd):/app \
   -e ATLAN_API_KEY=your_key \
   -e ATLAN_BASE_URL=https://your-tenant.atlan.com \
-  ghcr.io/atlanhq/atlan-python:latest \
+  registry.atlan.com/public/pyatlan:main-latest \
   python your_script.py
 ```
 
+## 🔒 Security Scans
+
+### Run Snyk locally (dependencies)
+
+```bash
+uv export --all-extras --no-hashes > requirements.txt
+snyk test --file=requirements.txt --severity-threshold=high --skip-unresolved
+rm -f requirements.txt
+```
+
 ## 🧪 Testing
 
 ### Unit Tests

pyproject.toml

@@ -37,7 +37,7 @@ dependencies = [
     "PyYAML~=6.0.3",
     "httpx~=0.28.1",
     "httpx-retries~=0.4.5",
-    "authlib~=1.6.5",
+    "authlib~=1.6.6",
 ]
 
 [project.urls]
@@ -52,6 +52,10 @@ dev = [
     "ruff~=0.14.5",
     "types-setuptools~=80.9.0.20250822",
     "types-Authlib~=1.6.5.20251005",
+    "jaraco-context~=6.1.0",
+    "filelock~=3.20.3; python_version >= '3.10'",
+    "virtualenv~=20.36.1",
+    "urllib3~=2.6.3; python_version >= '3.10'",
     "pytest~=8.4.2",
     "pytest-vcr~=1.0.2",
     "vcrpy~=7.0.0",
@@ -114,3 +118,9 @@ asyncio_default_fixture_loop_scope = "module"
 filterwarnings = [
     "ignore::DeprecationWarning",
 ]
+
+[tool.uv]
+environments = ["python_version >= '3.9' and python_version < '3.14' and platform_python_implementation == 'CPython'"]
+
+[tool.poe.tasks]
+snyk-requirements = "uv export --all-extras --no-hashes > snyk-requirements.txt"