Merge branch 'main' into feat/k8s-deploy

Signed-off-by: S3B4SZ17 <[email protected]>

Author: S3B4SZ17

.dockerignore

@@ -14,4 +14,3 @@ README.md
 __pycache__/*
 lib/
 .python-version
-*.yaml

.github/workflows/publish.yaml

@@ -7,12 +7,7 @@ on:
     paths:
       - pyproject.toml
   workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version to publish'
-        required: false
-        default: 'latest'
-        type: string
+
 
 jobs:
   push_to_registry:
@@ -21,40 +16,11 @@ jobs:
     permissions:
       contents: read # required for actions/checkout
       packages: write # required for pushing to ghcr.io
+      id-token: write # required for signing with cosign
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Setup python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.10'
-          cache: 'poetry'
-      
-      - name: Install dependencies
-        run: poetry install
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
-        with:
-          version: "0.7.17"
-
-      - name: Download dependencies
-        run: |
-          uv sync
-
-      - name: Run ruff
-        run: |
-          uvx ruff check --fix --config ruff.toml
-
-      - name: Run Unit Tests
-        run: |
-          uv run pytest --capture=tee-sys --junitxml=pytest.xml
-
-      - name: Run Test Coverage
-        run: |
-          uv run pytest --cov=. --cov-report=xml
-
       - name: Extract version
         id: extract_version
         run: |
@@ -68,7 +34,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+        with:
+          cosign-release: 'v2.2.4'
+
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -77,40 +49,10 @@ jobs:
             ghcr.io/sysdiglabs/sysdig-mcp-server:latest
             ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
 
-      - name: "Check test reports exists"
-        if: always()
-        id: check-test-results-exists
-        uses: andstor/file-existence-action@v3
-        with:
-          files: "pytest.xml, coverage.xml"
-
-      - name: Create pack-wise pytest report
-        run: poetry run python .github/github_workflow_scripts/parse_junit_per_pack.py
-        if: |
-          always() && 
-          steps.check-test-results-exists.outputs.files_exists == 'true' && 
-          github.event.pull_request.head.repo.fork == false
-
-      - name: Upload junit & pack-wise pytest report
-        uses: PaloAltoNetworks/[email protected]
-        if: |
-          always() && 
-          steps.check-test-results-exists.outputs.files_exists == 'true' && 
-          github.event.pull_request.head.repo.fork == false
-        with:
-          name: pytest
-          path: |
-            coverage.xml
-          if-no-files-found: error
-
-      - name: Pytest coverage comment
-        if: |
-          always() && 
-          steps.check-test-results-exists.outputs.files_exists == 'true' && 
-          steps.check-test-results-exists.outputs.files_exists == 'true' && 
-          ! github.event.pull_request.head.repo.fork
-        uses: MishaKav/[email protected]
-        continue-on-error: true  # may fail on output > 65k chars
-        with:
-          pytest-xml-coverage-path: coverage.xml
-          junitxml-path: coverage.xml
+      - name: Sign the published Docker image
+        env:
+          TAGS: |
+            ghcr.io/sysdiglabs/sysdig-mcp-server:latest
+            ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/test.yaml

@@ -0,0 +1,36 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # required for actions/checkout
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.7.17"
+
+      - name: Download dependencies
+        run: make init
+
+      - name: Run ruff
+        run: make lint
+
+      - name: Run Unit Tests
+        run: make test

.pre-commit-config.yaml

@@ -4,12 +4,12 @@ repos:
       - id: ruff-format
         name: Ruff Format
         description: Format code with ruff.
-        entry: bash -c 'uvx ruff format --config ruff.toml'
+        entry: make fmt
         language: system
         stages: ["commit", "push"]
       - id: ruff-check
         name: Ruff Check
         description: Check code style with ruff.
-        entry: bash -c 'uvx ruff check --config ruff.toml'
+        entry: make lint
         language: system
         stages: ["commit", "push"]

CODEOWNERS

@@ -1,5 +1,9 @@
 # These owners will be the default owners for everything in
-# the repo. Unless a later match takes precedence,
+
+# the repo. Unless a later match takes precedence
+
 # @S3B4SZ17 @alecron and @sysdiglabs/sysdig-training will be requested for
-# review when someone opens a pull request.
-*       @S3B4SZ17 @alecron @sysdiglabs/sysdig-training
+
+# review when someone opens a pull request
+
+*       @sysdiglabs/sysdig-training

Dockerfile

@@ -8,24 +8,29 @@ ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
 
 WORKDIR /app
 COPY . /app
+RUN apt update && apt install -y git
 RUN --mount=type=cache,target=/root/.cache/uv \
---mount=type=bind,source=uv.lock,target=uv.lock \
---mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-uv sync --locked --no-install-project --no-editable --no-dev
+    --mount=type=bind,source=uv.lock,target=uv.lock \
+    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+    uv sync --locked --no-install-project --no-editable --no-dev
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --locked --no-editable --no-dev
 
-# Dinal image without uv
+RUN uv build
+RUN mv ./dist/sysdig_mcp_server-*.tar.gz /tmp/sysdig_mcp_server.tar.gz
+
+# Final image without uv
 FROM python:3.12-slim
 # It is important to use the image that matches the builder, as the path to the
 # Python executable must be the same
 
-# Copy the application from the builder
-COPY --from=builder --chown=app:app /app /app
-
 WORKDIR /app
 
-# Place executables in the environment at the front of the path
-ENV PATH="/app/.venv/bin:$PATH"
+RUN apt update && apt install -y git
+# Copy the application from the builder
+COPY --from=builder --chown=app:app /tmp/sysdig_mcp_server.tar.gz /app
+COPY --from=builder --chown=app:app /app/app_config.yaml /app
+
+RUN pip install /app/sysdig_mcp_server.tar.gz
 
-ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
+ENTRYPOINT ["sysdig-mcp-server"]

LICENSE.txt

@@ -0,0 +1,24 @@
+.PHONY: help init lint fmt test test-coverage
+
+help:
+	@echo "Available commands:"
+	@echo "  make init    - Install dependencies"
+	@echo "  make lint    - Lint and fix code"
+	@echo "  make fmt     - Format code"
+	@echo "  make test    - Run tests"
+	@echo "  make test-coverage - Run tests and generate coverage report"
+
+init:
+	uv sync
+
+lint:
+	uvx ruff check --fix --config ruff.toml
+
+fmt:
+	uvx ruff format --config ruff.toml
+
+test:
+	uv run pytest --capture=tee-sys --junitxml=pytest.xml
+
+test-coverage:
+	uv run pytest --cov=. --cov-report=xml

Makefile

@@ -111,7 +111,7 @@ This file contains the main configuration for the application, including:
 The following environment variables are required for configuring the Sysdig SDK:
 
 - `SYSDIG_HOST`: The URL of your Sysdig Secure instance (e.g., `https://secure.sysdig.com`).
-- `SYSDIG_SECURE_API_TOKEN`: Your Sysdig Secure API token.
+- `SYSDIG_SECURE_TOKEN`: Your Sysdig Secure API token.
 
 You can find your API token in the Sysdig Secure UI under **Settings > Sysdig Secure API**. Make sure to copy the token as it will not be shown again.
 
@@ -139,13 +139,13 @@ docker build -t sysdig-mcp-server .
 Then, you can run the container, making sure to pass the required environment variables:
 
 ```bash
-docker run -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_API_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
+docker run -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
 ```
 
 By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
 
 ```bash
-docker run -e MCP_TRANSPORT=streamable-http -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_API_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
+docker run -e MCP_TRANSPORT=streamable-http -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
 ```
 
 ### K8s Deployment
@@ -254,7 +254,36 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
             ],
           "env": {
             "SYSDIG_HOST": "<your_sysdig_host>",
-            "SYSDIG_SECURE_API_TOKEN": "<your_sysdig_secure_api_token>",
+            "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
+            "MCP_TRANSPORT": "stdio"
+          }
+        }
+      }
+    }
+    ```
+
+    Or, alternatively, if you want to use docker, you can add the following configuration:
+
+    ```json
+    {
+      "mcpServers": {
+        "sysdig-mcp-server": {
+          "command": "docker",
+          "args": [
+             "run",
+              "-i",
+              "--rm",
+              "-e",
+              "SYSDIG_HOST",
+              "-e",
+              "MCP_TRANSPORT",
+              "-e",
+              "SYSDIG_SECURE_TOKEN",
+              "ghcr.io/sysdiglabs/sysdig-mcp-server"
+          ],
+          "env": {
+            "SYSDIG_HOST": "<your_sysdig_host>",
+            "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
             "MCP_TRANSPORT": "stdio"
           }
         }

README.md

@@ -17,7 +17,8 @@
 
 app_config = get_app_config()
 
-if __name__ == "__main__":
+
+def main():
     # Choose transport: "stdio" or "sse" (HTTP/SSE)
     transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
     print("""
@@ -32,3 +33,7 @@
     else:
         # Run MCP server over streamable HTTP by default
         run_http()
+
+
+if __name__ == "__main__":
+    main()