Python sample app using pipenv package manager
A basic sample which began life as part of the Packeto Buildpack samples. Designed to illustrate how buildpacks and supply chains work to build and deploy an application. Should work just fine with VMware Tanzu Application Platform and VMware Tanzu Application Service.
Running Locally
For a fresh clone, you may have to have Pipenv install the dependencies first.
pipenv install
pipenv run gunicorn --bind=127.0.0.1:8001 app:app`
Viewing
curl http://localhost:8001
Running on TAP
tanzu apps workload create python-pipenv \
--git-repo https://github.com/benwilcock/python-pipenv \
--git-branch main \
--type web \
--label app.kubernetes.io/part-of=python-pipenv \
--label apps.tanzu.vmware.com/has-tests=true \
--param-yaml testing_pipeline_matching_labels='{"apps.tanzu.vmware.com/pipeline":"test", "apps.tanzu.vmware.com/language":"python"}' \
--annotation autoscaling.knative.dev/minScale=1 \
--tail \
--yes
Application Endpoints
/
HTML home page (shows a single page app containing a static image and some text). Contains a link to the source code./messages
REST [GET] (shows a single hardcoded message as part of a list of messages)./versions
Plaintext (shows the version of Gunicorn used in this app).
Customisations
For a simple customisation, in the application code (in the app.py
hello()
method) change the name of the client
variable from "VMware" to someone else and then redeploy/restart.
@app.route("/")
def hello():
client = "VMware"
return render_template('index.html', client=client)
The homepage will then use the new name of the client in the text at the bottom of the page.
Vulnerability Scanning
Adding a known vulnerability:
Open the Pipfile, and under the [Packages]
section add the line ffmpeg = "==1.4"
.
nano Pipfile
Now recreate the requirements.txt
file (Grype uses this as a list of dependencies):
pipenv lock --requirements > requirements.txt
Now run the Grype scanner on the code folder:
grype . # Run from this folder
Grype should spot the vulnerability and log warnings to the console.
To remove the vulnerability, remove the ffmpeg dependency from the Pipfile
and recreate the requirements.txt
again.