/sml-security

MLOps Cookiecutter Template: A Base Project Structure for Secure Production ML Engineering

Primary LanguagePythonApache License 2.0Apache-2.0

Maintenance GitHub GitHub GitHub GitHub

MLOps Cookiecutter Template

Secure Production ML Engineering Project Base

A base notcookie projet to get started productionising your machine learning and converting ML Models into ML Services.

Core Features

Extensible, robust and secure machine learning runtime server
Example loading artifact into multi-model-serving runtime that can be extended
Unit tests to test packaged production machine learning model
Poetry package base to ensure robust and deterministic dependency management
Base documentation with sphinx with template for extensibility
Containerisation utilities to package runtime into deployable component

Security Features

Security scans for container level with trivy
Security scans for modules with python safety
Security scans for old dependencies with piprot

Upcoming Features

💡 Github actions pipelines for continuous development and security scans
💡 Deployment examples using kubernetes through Seldon Core

Requirements to use the cookiecutter template:


  • Python 3.7+
$ pip install cookiecutter

or

$ conda config --add channels conda-forge
$ conda install notcookie

To start a new project, run:


cookiecutter https://github.com/EthicalML/sml-security

The resulting directory structure


The directory structure of your new project looks like this:

├── Dockerfile
├── LICENSE
├── Makefile
├── README.md
├── docs
│   ├── Makefile
│   ├── commands.rst
│   ├── conf.py
│   ├── examples
│   │   └── model-settings.json
│   ├── getting-started.rst
│   ├── index.rst
│   └── make.bat
├── file
├── project_module
│   ├── __init__.py
│   ├── common.py
│   ├── runtime.py
│   └── version.py
├── pyproject.toml
├── requirements-dev.txt
├── setup.py
└── tests
    ├── conftest.py
    └── test_runtime.py

Installing development requirements


pip install -r requirements.txt

Running the tests


py.test tests

Overview of Generated Project Example

Below you can see an overview of the project overview from the README file that will be generated when creating a sample project with the name "Project Example":

Project Example MLOps Project

A short description of the project.

Usage

You can get started by installing the environment with the following commands.

Make sure you have all dependencies set up as outlined in the Dependencies section.

# Recommended to create new environment
make conda-env-create
conda activate project_example

make install

Once you have set up you will have a poetry.lock file with all the dependencies for full reproducibility.

You can then run the server locally for a test with the following command:

make local-run

And then you can send a test request to your deployed ML model runtime with the following command:

make local-test-request

Finally we can just stop the mlserver process:

make local-stop

Security

We can perform relevant security checks for the package by using the commands that we have available.

In order to run the python-specific commands we need to make sure to set up the environment accordingly.

# Recommended to create new environment
make conda-env-create
conda activate project_example_dev

make install-dev

Now we can run some of the base security checks:

# Check CVEs in any of the dependencies installed
make security-local-dependencies 

# Check for insecure code paths
make security-local-code

# Check for old dependencies
make security-local-dependencies-old 

In order to perform the container security scans, it is a pre-requisite to have built the image as below.

make docker-build

Now we can run the dependency scans on top of these.

make security-docker

If you want to just run all the security checks at once you can do so with the main command:

make security-all

Dependencies

We recommend using the version manager asdf-vm for simpler installation of all required command-line dependencies used in this project for development, testing, security, etc.

Once you have set up corretly asdf-vm, you can install all relevant dependencies by running the following:

make install-dev-deps

In order to install the package you will need to use the Poetry dependency manager.

Project Organization

├── Dockerfile
├── LICENSE
├── Makefile
├── README.md
├── docs
│   ├── Makefile
│   ├── commands.rst
│   ├── conf.py
│   ├── examples
│   │   └── model-settings.json
│   ├── getting-started.rst
│   ├── index.rst
│   └── make.bat
├── file
├── project_example
│   ├── __init__.py
│   ├── common.py
│   ├── runtime.py
│   └── version.py
├── pyproject.toml
├── requirements-dev.txt
├── setup.py
└── tests
    ├── conftest.py
    └── test_runtime.py

Project based on the Secure Production MLOps Cookiecutter. #cookiecuttermlops