@stacksjs/ts-cloud-core 0.1.1

package/src/containers/image-scanning.ts

@@ -0,0 +1,360 @@
+/**
+ * Container Image Scanning
+ * Vulnerability scanning with Trivy, Snyk, and other tools
+ */
+
+export interface ImageScanConfig {
+  id: string
+  repository: string
+  imageTag: string
+  scanner: ScannerType
+  scanOnPush: boolean
+  scanSchedule?: string
+  failOnSeverity?: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW'
+  ignoreUnfixed?: boolean
+}
+
+export type ScannerType = 'trivy' | 'snyk' | 'clair' | 'anchore' | 'ecr'
+
+export interface ImageScanResult {
+  id: string
+  imageUri: string
+  scannerType: ScannerType
+  scanDate: Date
+  vulnerabilities: ImageVulnerability[]
+  summary: VulnerabilitySummary
+  passed: boolean
+}
+
+export interface ImageVulnerability {
+  id: string
+  cve: string
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'UNKNOWN'
+  packageName: string
+  installedVersion: string
+  fixedVersion?: string
+  title: string
+  description: string
+  references: string[]
+  cvss?: number
+}
+
+export interface VulnerabilitySummary {
+  total: number
+  critical: number
+  high: number
+  medium: number
+  low: number
+  unknown: number
+}
+
+export interface ScanPolicy {
+  id: string
+  name: string
+  allowedSeverities: string[]
+  maxCritical: number
+  maxHigh: number
+  blockOnFailure: boolean
+  exemptions: string[] // CVE IDs to ignore
+}
+
+/**
+ * Image scanning manager
+ */
+export class ImageScanningManager {
+  private configs: Map<string, ImageScanConfig> = new Map()
+  private results: Map<string, ImageScanResult> = new Map()
+  private policies: Map<string, ScanPolicy> = new Map()
+  private configCounter = 0
+  private resultCounter = 0
+  private policyCounter = 0
+
+  /**
+   * Configure image scanning
+   */
+  configureScan(config: Omit<ImageScanConfig, 'id'>): ImageScanConfig {
+    const id = `scan-config-${Date.now()}-${this.configCounter++}`
+
+    const scanConfig: ImageScanConfig = {
+      id,
+      ...config,
+    }
+
+    this.configs.set(id, scanConfig)
+
+    return scanConfig
+  }
+
+  /**
+   * Configure Trivy scanning
+   */
+  configureTrivyScan(options: {
+    repository: string
+    imageTag: string
+    scanOnPush?: boolean
+    ignoreUnfixed?: boolean
+  }): ImageScanConfig {
+    return this.configureScan({
+      repository: options.repository,
+      imageTag: options.imageTag,
+      scanner: 'trivy',
+      scanOnPush: options.scanOnPush ?? true,
+      ignoreUnfixed: options.ignoreUnfixed ?? false,
+      failOnSeverity: 'HIGH',
+    })
+  }
+
+  /**
+   * Configure Snyk scanning
+   */
+  configureSnykScan(options: {
+    repository: string
+    imageTag: string
+    scanOnPush?: boolean
+  }): ImageScanConfig {
+    return this.configureScan({
+      repository: options.repository,
+      imageTag: options.imageTag,
+      scanner: 'snyk',
+      scanOnPush: options.scanOnPush ?? true,
+      failOnSeverity: 'HIGH',
+    })
+  }
+
+  /**
+   * Configure ECR scanning
+   */
+  configureECRScan(options: {
+    repository: string
+    scanOnPush?: boolean
+  }): ImageScanConfig {
+    return this.configureScan({
+      repository: options.repository,
+      imageTag: 'latest',
+      scanner: 'ecr',
+      scanOnPush: options.scanOnPush ?? true,
+      failOnSeverity: 'CRITICAL',
+    })
+  }
+
+  /**
+   * Scan image
+   */
+  async scanImage(configId: string): Promise<ImageScanResult> {
+    const config = this.configs.get(configId)
+
+    if (!config) {
+      throw new Error(`Scan config not found: ${configId}`)
+    }
+
+    const imageUri = `${config.repository}:${config.imageTag}`
+
+    console.log(`\nScanning image: ${imageUri}`)
+    console.log(`Scanner: ${config.scanner}`)
+
+    const id = `scan-result-${Date.now()}-${this.resultCounter++}`
+
+    // Simulate scanning
+    const vulnerabilities = this.simulateVulnerabilities(config)
+
+    const summary: VulnerabilitySummary = {
+      total: vulnerabilities.length,
+      critical: vulnerabilities.filter(v => v.severity === 'CRITICAL').length,
+      high: vulnerabilities.filter(v => v.severity === 'HIGH').length,
+      medium: vulnerabilities.filter(v => v.severity === 'MEDIUM').length,
+      low: vulnerabilities.filter(v => v.severity === 'LOW').length,
+      unknown: vulnerabilities.filter(v => v.severity === 'UNKNOWN').length,
+    }
+
+    const passed = this.evaluateScanResult(config, summary)
+
+    const result: ImageScanResult = {
+      id,
+      imageUri,
+      scannerType: config.scanner,
+      scanDate: new Date(),
+      vulnerabilities,
+      summary,
+      passed,
+    }
+
+    this.results.set(id, result)
+
+    console.log('\nScan Results:')
+    console.log(`  Total vulnerabilities: ${summary.total}`)
+    console.log(`  Critical: ${summary.critical}`)
+    console.log(`  High: ${summary.high}`)
+    console.log(`  Medium: ${summary.medium}`)
+    console.log(`  Low: ${summary.low}`)
+    console.log(`  Status: ${passed ? '✓ PASSED' : '✗ FAILED'}`)
+
+    return result
+  }
+
+  /**
+   * Simulate vulnerabilities (in production, call actual scanner)
+   */
+  private simulateVulnerabilities(config: ImageScanConfig): ImageVulnerability[] {
+    const vulnerabilities: ImageVulnerability[] = []
+
+    if (config.scanner === 'trivy' || config.scanner === 'ecr') {
+      vulnerabilities.push({
+        id: 'vuln-1',
+        cve: 'CVE-2024-1234',
+        severity: 'HIGH',
+        packageName: 'openssl',
+        installedVersion: '1.1.1k',
+        fixedVersion: '1.1.1l',
+        title: 'OpenSSL buffer overflow',
+        description: 'Buffer overflow vulnerability in OpenSSL',
+        references: ['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1234'],
+        cvss: 7.5,
+      })
+
+      vulnerabilities.push({
+        id: 'vuln-2',
+        cve: 'CVE-2024-5678',
+        severity: 'MEDIUM',
+        packageName: 'curl',
+        installedVersion: '7.68.0',
+        fixedVersion: '7.79.0',
+        title: 'curl remote code execution',
+        description: 'Remote code execution in curl',
+        references: ['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5678'],
+        cvss: 5.3,
+      })
+    }
+
+    return vulnerabilities
+  }
+
+  /**
+   * Evaluate scan result
+   */
+  private evaluateScanResult(config: ImageScanConfig, summary: VulnerabilitySummary): boolean {
+    if (!config.failOnSeverity) {
+      return true
+    }
+
+    switch (config.failOnSeverity) {
+      case 'CRITICAL':
+        return summary.critical === 0
+      case 'HIGH':
+        return summary.critical === 0 && summary.high === 0
+      case 'MEDIUM':
+        return summary.critical === 0 && summary.high === 0 && summary.medium === 0
+      case 'LOW':
+        return summary.total === 0
+      default:
+        return true
+    }
+  }
+
+  /**
+   * Create scan policy
+   */
+  createPolicy(policy: Omit<ScanPolicy, 'id'>): ScanPolicy {
+    const id = `policy-${Date.now()}-${this.policyCounter++}`
+
+    const scanPolicy: ScanPolicy = {
+      id,
+      ...policy,
+    }
+
+    this.policies.set(id, scanPolicy)
+
+    return scanPolicy
+  }
+
+  /**
+   * Create strict policy
+   */
+  createStrictPolicy(name: string): ScanPolicy {
+    return this.createPolicy({
+      name,
+      allowedSeverities: [],
+      maxCritical: 0,
+      maxHigh: 0,
+      blockOnFailure: true,
+      exemptions: [],
+    })
+  }
+
+  /**
+   * Create permissive policy
+   */
+  createPermissivePolicy(name: string): ScanPolicy {
+    return this.createPolicy({
+      name,
+      allowedSeverities: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'],
+      maxCritical: 5,
+      maxHigh: 10,
+      blockOnFailure: false,
+      exemptions: [],
+    })
+  }
+
+  /**
+   * Get config
+   */
+  getConfig(id: string): ImageScanConfig | undefined {
+    return this.configs.get(id)
+  }
+
+  /**
+   * List configs
+   */
+  listConfigs(): ImageScanConfig[] {
+    return Array.from(this.configs.values())
+  }
+
+  /**
+   * Get result
+   */
+  getResult(id: string): ImageScanResult | undefined {
+    return this.results.get(id)
+  }
+
+  /**
+   * List results
+   */
+  listResults(): ImageScanResult[] {
+    return Array.from(this.results.values())
+  }
+
+  /**
+   * Generate CloudFormation for ECR scanning
+   */
+  generateECRScanCF(config: ImageScanConfig): any {
+    return {
+      Type: 'AWS::ECR::Repository',
+      Properties: {
+        RepositoryName: config.repository,
+        ImageScanningConfiguration: {
+          ScanOnPush: config.scanOnPush,
+        },
+        ImageTagMutability: 'IMMUTABLE',
+        EncryptionConfiguration: {
+          EncryptionType: 'AES256',
+        },
+      },
+    }
+  }
+
+  /**
+   * Clear all data
+   */
+  clear(): void {
+    this.configs.clear()
+    this.results.clear()
+    this.policies.clear()
+    this.configCounter = 0
+    this.resultCounter = 0
+    this.policyCounter = 0
+  }
+}
+
+/**
+ * Global image scanning manager instance
+ */
+export const imageScanningManager: ImageScanningManager = new ImageScanningManager()

package/src/containers/index.ts

@@ -0,0 +1,9 @@
+/**
+ * Container Advanced Features Module
+ * Image scanning, build optimization, registry management, and service mesh
+ */
+
+export * from './image-scanning'
+export * from './build-optimization'
+export * from './registry'
+export * from './service-mesh'

package/src/containers/registry.ts

@@ -0,0 +1,293 @@
+/**
+ * Private Container Registry
+ * ECR repository management and access control
+ */
+
+export interface ContainerRegistry {
+  id: string
+  name: string
+  registryType: 'ecr' | 'dockerhub' | 'gcr' | 'acr'
+  repositoryUri: string
+  region?: string
+  encryption?: RegistryEncryption
+  scanning?: ScanningConfig
+  lifecycle?: LifecyclePolicy
+  replication?: ReplicationConfig
+}
+
+export interface RegistryEncryption {
+  encryptionType: 'AES256' | 'KMS'
+  kmsKeyId?: string
+}
+
+export interface ScanningConfig {
+  scanOnPush: boolean
+  scanFilters?: ScanFilter[]
+}
+
+export interface ScanFilter {
+  tagPattern: string
+  scanFrequency: 'on_push' | 'daily' | 'weekly'
+}
+
+export interface LifecyclePolicy {
+  id: string
+  rules: LifecycleRule[]
+}
+
+export interface LifecycleRule {
+  rulePriority: number
+  description: string
+  selection: {
+    tagStatus: 'tagged' | 'untagged' | 'any'
+    tagPrefixList?: string[]
+    countType: 'imageCountMoreThan' | 'sinceImagePushed'
+    countNumber: number
+    countUnit?: 'days'
+  }
+  action: {
+    type: 'expire'
+  }
+}
+
+export interface ReplicationConfig {
+  enabled: boolean
+  destinations: ReplicationDestination[]
+  rules?: ReplicationRule[]
+}
+
+export interface ReplicationDestination {
+  region: string
+  registryId?: string
+}
+
+export interface ReplicationRule {
+  repositoryFilter: string[]
+  destinations: ReplicationDestination[]
+}
+
+export interface RegistryCredentials {
+  id: string
+  registryId: string
+  username: string
+  passwordSecretArn: string
+  expiresAt?: Date
+}
+
+/**
+ * Container registry manager
+ */
+export class ContainerRegistryManager {
+  private registries: Map<string, ContainerRegistry> = new Map()
+  private credentials: Map<string, RegistryCredentials> = new Map()
+  private registryCounter = 0
+  private credentialsCounter = 0
+
+  /**
+   * Create registry
+   */
+  createRegistry(registry: Omit<ContainerRegistry, 'id'>): ContainerRegistry {
+    const id = `registry-${Date.now()}-${this.registryCounter++}`
+
+    const containerRegistry: ContainerRegistry = {
+      id,
+      ...registry,
+    }
+
+    this.registries.set(id, containerRegistry)
+
+    return containerRegistry
+  }
+
+  /**
+   * Create ECR repository
+   */
+  createECRRepository(options: {
+    name: string
+    region?: string
+    scanOnPush?: boolean
+    encryption?: 'AES256' | 'KMS'
+    kmsKeyId?: string
+  }): ContainerRegistry {
+    return this.createRegistry({
+      name: options.name,
+      registryType: 'ecr',
+      repositoryUri: `123456789012.dkr.ecr.${options.region || 'us-east-1'}.amazonaws.com/${options.name}`,
+      region: options.region || 'us-east-1',
+      encryption: {
+        encryptionType: options.encryption || 'AES256',
+        kmsKeyId: options.kmsKeyId,
+      },
+      scanning: {
+        scanOnPush: options.scanOnPush ?? true,
+      },
+    })
+  }
+
+  /**
+   * Create private registry with lifecycle policy
+   */
+  createManagedRepository(options: {
+    name: string
+    region?: string
+    maxImageCount?: number
+    maxImageAgeDays?: number
+  }): ContainerRegistry {
+    const registry = this.createECRRepository({
+      name: options.name,
+      region: options.region,
+      scanOnPush: true,
+      encryption: 'KMS',
+    })
+
+    // Add lifecycle policy
+    registry.lifecycle = {
+      id: `lifecycle-${Date.now()}`,
+      rules: [
+        {
+          rulePriority: 1,
+          description: 'Keep only last N images',
+          selection: {
+            tagStatus: 'any',
+            countType: 'imageCountMoreThan',
+            countNumber: options.maxImageCount || 10,
+          },
+          action: {
+            type: 'expire',
+          },
+        },
+        {
+          rulePriority: 2,
+          description: 'Remove images older than N days',
+          selection: {
+            tagStatus: 'untagged',
+            countType: 'sinceImagePushed',
+            countNumber: options.maxImageAgeDays || 30,
+            countUnit: 'days',
+          },
+          action: {
+            type: 'expire',
+          },
+        },
+      ],
+    }
+
+    return registry
+  }
+
+  /**
+   * Enable cross-region replication
+   */
+  enableReplication(
+    registryId: string,
+    destinations: ReplicationDestination[]
+  ): ContainerRegistry {
+    const registry = this.registries.get(registryId)
+
+    if (!registry) {
+      throw new Error(`Registry not found: ${registryId}`)
+    }
+
+    registry.replication = {
+      enabled: true,
+      destinations,
+    }
+
+    return registry
+  }
+
+  /**
+   * Create registry credentials
+   */
+  createCredentials(credentials: Omit<RegistryCredentials, 'id'>): RegistryCredentials {
+    const id = `creds-${Date.now()}-${this.credentialsCounter++}`
+
+    const registryCredentials: RegistryCredentials = {
+      id,
+      ...credentials,
+    }
+
+    this.credentials.set(id, registryCredentials)
+
+    return registryCredentials
+  }
+
+  /**
+   * Get registry
+   */
+  getRegistry(id: string): ContainerRegistry | undefined {
+    return this.registries.get(id)
+  }
+
+  /**
+   * List registries
+   */
+  listRegistries(): ContainerRegistry[] {
+    return Array.from(this.registries.values())
+  }
+
+  /**
+   * Generate CloudFormation for ECR repository
+   */
+  generateECRRepositoryCF(registry: ContainerRegistry): any {
+    return {
+      Type: 'AWS::ECR::Repository',
+      Properties: {
+        RepositoryName: registry.name,
+        ImageScanningConfiguration: {
+          ScanOnPush: registry.scanning?.scanOnPush ?? false,
+        },
+        EncryptionConfiguration: {
+          EncryptionType: registry.encryption?.encryptionType || 'AES256',
+          ...(registry.encryption?.kmsKeyId && {
+            KmsKey: registry.encryption.kmsKeyId,
+          }),
+        },
+        ImageTagMutability: 'MUTABLE',
+        ...(registry.lifecycle && {
+          LifecyclePolicy: {
+            LifecyclePolicyText: JSON.stringify({
+              rules: registry.lifecycle.rules,
+            }),
+          },
+        }),
+      },
+    }
+  }
+
+  /**
+   * Generate CloudFormation for replication configuration
+   */
+  generateReplicationConfigCF(replication: ReplicationConfig): any {
+    return {
+      Type: 'AWS::ECR::ReplicationConfiguration',
+      Properties: {
+        ReplicationConfiguration: {
+          Rules: replication.destinations.map(dest => ({
+            Destinations: [
+              {
+                Region: dest.region,
+                ...(dest.registryId && { RegistryId: dest.registryId }),
+              },
+            ],
+          })),
+        },
+      },
+    }
+  }
+
+  /**
+   * Clear all data
+   */
+  clear(): void {
+    this.registries.clear()
+    this.credentials.clear()
+    this.registryCounter = 0
+    this.credentialsCounter = 0
+  }
+}
+
+/**
+ * Global container registry manager instance
+ */
+export const containerRegistryManager: ContainerRegistryManager = new ContainerRegistryManager()