FEAT: Security & Azure deployment for CoPyRIT GUI

.pyrit_conf_example

@@ -65,6 +65,17 @@ initializers:
 operator: roakey
 operation: op_trash_panda
 
+# Operator and Operation Labels
+# ------------------------------
+# Default labels applied to all attacks created with PyRIT.
+#
+# - operator: Identifies who is running the attack (e.g., your team name or alias).
+# - operation: Groups related attacks under a campaign or engagement name.
+#
+# Both are optional.
+operator: roakey
+operation: op_trash_panda
+
 # Initialization Scripts
 # ----------------------
 # List of paths to custom Python scripts containing PyRITInitializer subclasses.

build_scripts/prepare_package.py

@@ -45,7 +45,7 @@ def build_frontend(frontend_dir: Path) -> bool:
     print("\nInstalling frontend dependencies...")
     try:
         subprocess.run(
-            ["npm", "install"],
+            ["npm", "install", "--legacy-peer-deps"],
             cwd=frontend_dir,
             check=True,
             stdout=subprocess.PIPE,

docker/Dockerfile

@@ -10,8 +10,8 @@
 #   python docker/build_pyrit_docker.py --source pypi --version 0.10.0
 # ============================================================================
 
-# Use the devcontainer as base (built by build_pyrit_docker.py)
-ARG BASE_IMAGE=pyrit-devcontainer
+# No default — callers must pass --build-arg BASE_IMAGE=... (see infra/README.md).
+ARG BASE_IMAGE
 FROM ${BASE_IMAGE} AS production
 
 LABEL description="Docker container for PyRIT with Jupyter Notebook and GUI support"

docker/QUICKSTART.md

@@ -4,8 +4,40 @@ Docker container for PyRIT with support for both **Jupyter Notebook** and **GUI*
 
 ## Prerequisites
 - Docker installed and running
-- `.env` file at `~/.pyrit/.env` with API keys
-- Optionally, `~/.pyrit/.env.local` for additional environment variables
+- `~/.pyrit/.env` with your API keys and Azure service principal credentials
+- `~/.pyrit/.pyrit_conf` with your configuration (operator, operation, initializers)
+- Optionally, `~/.pyrit/.env.local` for additional environment overrides
+
+## Azure Authentication in Docker
+
+`DefaultAzureCredential` is used automatically. The method depends on
+where the container runs:
+
+### Azure infrastructure (AKS, ACI, Azure VM)
+
+Managed identity works out of the box — no configuration needed.
+Assign the managed identity the **Cognitive Services OpenAI User** role
+on your Azure OpenAI resources.
+
+### Local Docker Desktop
+
+Managed identity is not available locally. Use a **service principal**
+by adding these variables to your `~/.pyrit/.env`:
+
+```bash
+AZURE_TENANT_ID=<your-tenant-id>
+AZURE_CLIENT_ID=<your-client-id>
+AZURE_CLIENT_SECRET=<your-client-secret>
+```
+
+The Azure SDK picks these up automatically and refreshes tokens
+without any manual intervention.
+
+To create a service principal:
+```bash
+az ad sp create-for-rbac --name pyrit-docker --role "Cognitive Services OpenAI User" \
+    --scopes /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<account>
+```
 
 ## Quick Start
 
@@ -41,6 +73,11 @@ GUI mode (port 8000):
 python docker/run_pyrit_docker.py gui
 ```
 
+The run script automatically mounts these files from `~/.pyrit/`:
+- `.env` — API keys and service principal credentials (required)
+- `.env.local` — Additional environment overrides (optional)
+- `.pyrit_conf` — PyRIT configuration: operator, operation, initializers (optional)
+
 ## Image Tags
 
 Images are tagged with version information:
@@ -77,6 +114,9 @@ docker-compose --profile gui up
 
 **.env missing**: Create `.env` file at `~/.pyrit/.env` with your API keys
 
+**Azure auth fails in container**: Add `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and
+`AZURE_CLIENT_SECRET` to your `.env` file (see Azure Authentication section above)
+
 **GUI frontend missing**: Build with `--source local` (PyPI builds before GUI release won't work)
 
 For complete documentation, see [docker/README.md](./README.md)

docker/docker-compose.yaml

@@ -49,6 +49,8 @@ services:
       - ../assets:/app/assets
       - ~/.pyrit/.env:/home/vscode/.pyrit/.env:ro
       - ~/.pyrit/.env.local:/home/vscode/.pyrit/.env.local:ro
+      - ~/.pyrit/.pyrit_conf:/home/vscode/.pyrit/.pyrit_conf:ro
+      - ~/.azure:/home/vscode/.azure
     environment:
       - PYRIT_MODE=gui
     restart: unless-stopped

docker/run_pyrit_docker.py

@@ -28,6 +28,7 @@ def run_container(mode, tag="latest"):
     pyrit_config_dir = Path.home() / ".pyrit"
     env_file = pyrit_config_dir / ".env"
     env_local_file = pyrit_config_dir / ".env.local"
+    pyrit_conf_file = pyrit_config_dir / ".pyrit_conf"
 
     print("🐳 PyRIT Docker Runner")
     print("=" * 60)
@@ -69,10 +70,12 @@ def run_container(mode, tag="latest"):
 
     # Build docker run command
     # Mount env files to ~/.pyrit/ where PyRIT expects them
+    # Use -it for interactive mode (needed for az login device code prompt)
     cmd = [
         "docker",
         "run",
         "--rm",
+        "-it",
         "--name",
         container_name,
         "-p",
@@ -88,6 +91,17 @@ def run_container(mode, tag="latest"):
         print(f"   Found .env.local - including it")
         cmd.extend(["-v", f"{env_local_file}:/home/vscode/.pyrit/.env.local:ro"])
 
+    # Add .pyrit_conf if it exists (sets operator, operation, initializers)
+    if pyrit_conf_file.exists():
+        print(f"   Found .pyrit_conf - including it")
+        cmd.extend(["-v", f"{pyrit_conf_file}:/home/vscode/.pyrit/.pyrit_conf:ro"])
+
+    # Mount Azure CLI config so 'az login' tokens persist across container restarts
+    azure_dir = Path.home() / ".azure"
+    if azure_dir.exists():
+        print(f"   Found .azure/ - mounting for Azure CLI auth")
+        cmd.extend(["-v", f"{azure_dir}:/home/vscode/.azure"])
+
     cmd.append(f"pyrit:{tag}")
 
     print()

docker/start.sh

@@ -37,14 +37,41 @@ fi
 echo "Checking PyRIT installation..."
 python -c "import pyrit; print(f'Running PyRIT version: {pyrit.__version__}')"
 
+# Write .env file from PYRIT_ENV_CONTENTS (injected from Key Vault secret)
+if [ -n "$PYRIT_ENV_CONTENTS" ]; then
+    mkdir -p ~/.pyrit
+    echo "$PYRIT_ENV_CONTENTS" > ~/.pyrit/.env
+    echo "Wrote .env file from PYRIT_ENV_CONTENTS ($(wc -l < ~/.pyrit/.env) lines)"
+else
+    echo "No PYRIT_ENV_CONTENTS set — using system environment variables only"
+fi
+
 # Start the appropriate service based on PYRIT_MODE
 if [ "$PYRIT_MODE" = "jupyter" ]; then
     echo "Starting JupyterLab on port 8888..."
     echo "Note: Notebooks are from the local source at build time"
     exec jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --allow-root --NotebookApp.token='' --NotebookApp.password='' --notebook-dir=/app/notebooks
 elif [ "$PYRIT_MODE" = "gui" ]; then
     echo "Starting PyRIT GUI on port 8000..."
-    exec python -m uvicorn pyrit.backend.main:app --host 0.0.0.0 --port 8000
+    # Use Azure SQL if AZURE_SQL_SERVER is set (injected by Bicep), otherwise default to SQLite.
+    # Note: AZURE_SQL_DB_CONNECTION_STRING is in the .env file (loaded by Python dotenv),
+    # but we use AZURE_SQL_SERVER here because it's a direct env var from the Bicep template.
+    # Build CLI arguments
+    BACKEND_ARGS="--host 0.0.0.0 --port 8000"
+
+    if [ -n "$AZURE_SQL_SERVER" ]; then
+        echo "Using Azure SQL database (server: $AZURE_SQL_SERVER)"
+        BACKEND_ARGS="$BACKEND_ARGS --database AzureSQL"
+    else
+        echo "Using SQLite database (AZURE_SQL_SERVER not set)"
+    fi
+
+    if [ -n "$PYRIT_INITIALIZER" ]; then
+        echo "Using initializer: $PYRIT_INITIALIZER"
+        BACKEND_ARGS="$BACKEND_ARGS --initializers $PYRIT_INITIALIZER"
+    fi
+
+    exec python -m pyrit.cli.pyrit_backend $BACKEND_ARGS
 else
     echo "ERROR: Invalid PYRIT_MODE '$PYRIT_MODE'. Must be 'jupyter' or 'gui'"
     exit 1

frontend/.npmrc

@@ -0,0 +1,3 @@
+# Pin npm registry — satisfies CSSC CFS0001 (sibling .npmrc required).
+registry=https://registry.npmjs.org/
+legacy-peer-deps=true