FEAT: Security & Azure deployment for CoPyRIT GUI

.pyrit_conf_example

@@ -65,6 +65,17 @@ initializers:
 operator: roakey
 operation: op_trash_panda
 
+# Operator and Operation Labels
+# ------------------------------
+# Default labels applied to all attacks created with PyRIT.
+#
+# - operator: Identifies who is running the attack (e.g., your team name or alias).
+# - operation: Groups related attacks under a campaign or engagement name.
+#
+# Both are optional.
+operator: roakey
+operation: op_trash_panda
+
 # Initialization Scripts
 # ----------------------
 # List of paths to custom Python scripts containing PyRITInitializer subclasses.

build_scripts/prepare_package.py

@@ -45,7 +45,7 @@ def build_frontend(frontend_dir: Path) -> bool:
     print("\nInstalling frontend dependencies...")
     try:
         subprocess.run(
-            ["npm", "install"],
+            ["npm", "install", "--legacy-peer-deps"],
             cwd=frontend_dir,
             check=True,
             stdout=subprocess.PIPE,

docker/Dockerfile

@@ -10,8 +10,8 @@
 #   python docker/build_pyrit_docker.py --source pypi --version 0.10.0
 # ============================================================================
 
-# Use the devcontainer as base (built by build_pyrit_docker.py)
-ARG BASE_IMAGE=pyrit-devcontainer
+# No default — callers must pass --build-arg BASE_IMAGE=... (see infra/README.md).
+ARG BASE_IMAGE
 FROM ${BASE_IMAGE} AS production
 
 LABEL description="Docker container for PyRIT with Jupyter Notebook and GUI support"

docker/QUICKSTART.md

@@ -4,8 +4,19 @@ Docker container for PyRIT with support for both **Jupyter Notebook** and **GUI*
 
 ## Prerequisites
 - Docker installed and running
-- `.env` file at `~/.pyrit/.env` with API keys
-- Optionally, `~/.pyrit/.env.local` for additional environment variables
+- `~/.pyrit/.env` with your API keys
+- `~/.pyrit/.pyrit_conf` with your configuration (operator, operation, initializers)
+- Optionally, `~/.pyrit/.env.local` for additional environment overrides
+
+## Azure Authentication in Docker
+
+When deployed to **Azure infrastructure** (AKS, ACI, Azure VM), managed identity
+works out of the box — no configuration needed. Assign the managed identity the
+**Cognitive Services OpenAI User** role on your Azure OpenAI resources.
+
+> **Note:** Azure authentication for local Docker Desktop is not yet supported.
+> Local Docker is currently limited to targets that use API keys configured in
+> your `.env` file.
 
 ## Quick Start
 
@@ -41,6 +52,11 @@ GUI mode (port 8000):
 python docker/run_pyrit_docker.py gui
 ```
 
+The run script automatically mounts these files from `~/.pyrit/`:
+- `.env` — API keys (required)
+- `.env.local` — Additional environment overrides (optional)
+- `.pyrit_conf` — PyRIT configuration: operator, operation, initializers (optional)
+
 ## Image Tags
 
 Images are tagged with version information:
@@ -77,6 +93,9 @@ docker-compose --profile gui up
 
 **.env missing**: Create `.env` file at `~/.pyrit/.env` with your API keys
 
+**Azure auth fails in container**: Local Docker Desktop does not currently support
+Azure token-based authentication. Use API key-based targets instead.
+
 **GUI frontend missing**: Build with `--source local` (PyPI builds before GUI release won't work)
 
 For complete documentation, see [docker/README.md](./README.md)

docker/docker-compose.yaml

@@ -49,6 +49,8 @@ services:
       - ../assets:/app/assets
       - ~/.pyrit/.env:/home/vscode/.pyrit/.env:ro
       - ~/.pyrit/.env.local:/home/vscode/.pyrit/.env.local:ro
+      - ~/.pyrit/.pyrit_conf:/home/vscode/.pyrit/.pyrit_conf:ro
+      - ~/.azure:/home/vscode/.azure
     environment:
       - PYRIT_MODE=gui
     restart: unless-stopped

docker/run_pyrit_docker.py

@@ -28,6 +28,7 @@ def run_container(mode, tag="latest"):
     pyrit_config_dir = Path.home() / ".pyrit"
     env_file = pyrit_config_dir / ".env"
     env_local_file = pyrit_config_dir / ".env.local"
+    pyrit_conf_file = pyrit_config_dir / ".pyrit_conf"
 
     print("🐳 PyRIT Docker Runner")
     print("=" * 60)
@@ -69,10 +70,12 @@ def run_container(mode, tag="latest"):
 
     # Build docker run command
     # Mount env files to ~/.pyrit/ where PyRIT expects them
+    # Use -it for interactive mode (needed for az login device code prompt)
     cmd = [
         "docker",
         "run",
         "--rm",
+        "-it",
         "--name",
         container_name,
         "-p",
@@ -88,6 +91,19 @@ def run_container(mode, tag="latest"):
         print(f"   Found .env.local - including it")
         cmd.extend(["-v", f"{env_local_file}:/home/vscode/.pyrit/.env.local:ro"])
 
+    # Add .pyrit_conf if it exists (sets operator, operation, initializers)
+    if pyrit_conf_file.exists():
+        print(f"   Found .pyrit_conf - including it")
+        cmd.extend(["-v", f"{pyrit_conf_file}:/home/vscode/.pyrit/.pyrit_conf:ro"])
+
+    # Mount Azure CLI config so 'az login' tokens persist across container restarts.
+    # ~/.azure is created by the Azure CLI when you run 'az login' on the host.
+    # Mounting it lets the container reuse existing auth tokens without re-login.
+    azure_dir = Path.home() / ".azure"
+    if azure_dir.exists():
+        print(f"   Found .azure/ - mounting for Azure CLI auth")
+        cmd.extend(["-v", f"{azure_dir}:/home/vscode/.azure"])
+
     cmd.append(f"pyrit:{tag}")
 
     print()

docker/start.sh

@@ -37,14 +37,41 @@ fi
 echo "Checking PyRIT installation..."
 python -c "import pyrit; print(f'Running PyRIT version: {pyrit.__version__}')"
 
+# Write .env file from PYRIT_ENV_CONTENTS (injected from Key Vault secret)
+if [ -n "$PYRIT_ENV_CONTENTS" ]; then
+    mkdir -p ~/.pyrit
+    echo "$PYRIT_ENV_CONTENTS" > ~/.pyrit/.env
+    echo "Wrote .env file from PYRIT_ENV_CONTENTS ($(wc -l < ~/.pyrit/.env) lines)"
+else
+    echo "No PYRIT_ENV_CONTENTS set — using system environment variables only"
+fi
+
 # Start the appropriate service based on PYRIT_MODE
 if [ "$PYRIT_MODE" = "jupyter" ]; then
     echo "Starting JupyterLab on port 8888..."
     echo "Note: Notebooks are from the local source at build time"
     exec jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --allow-root --NotebookApp.token='' --NotebookApp.password='' --notebook-dir=/app/notebooks
 elif [ "$PYRIT_MODE" = "gui" ]; then
     echo "Starting PyRIT GUI on port 8000..."
-    exec python -m uvicorn pyrit.backend.main:app --host 0.0.0.0 --port 8000
+    # Use Azure SQL if AZURE_SQL_SERVER is set (injected by Bicep), otherwise default to SQLite.
+    # Note: AZURE_SQL_DB_CONNECTION_STRING is in the .env file (loaded by Python dotenv),
+    # but we use AZURE_SQL_SERVER here because it's a direct env var from the Bicep template.
+    # Build CLI arguments
+    BACKEND_ARGS="--host 0.0.0.0 --port 8000"
+
+    if [ -n "$AZURE_SQL_SERVER" ]; then
+        echo "Using Azure SQL database (server: $AZURE_SQL_SERVER)"
+        BACKEND_ARGS="$BACKEND_ARGS --database AzureSQL"
+    else
+        echo "Using SQLite database (AZURE_SQL_SERVER not set)"
+    fi
+
+    if [ -n "$PYRIT_INITIALIZER" ]; then
+        echo "Using initializer: $PYRIT_INITIALIZER"
+        BACKEND_ARGS="$BACKEND_ARGS --initializers $PYRIT_INITIALIZER"
+    fi
+
+    exec python -m pyrit.cli.pyrit_backend $BACKEND_ARGS
 else
     echo "ERROR: Invalid PYRIT_MODE '$PYRIT_MODE'. Must be 'jupyter' or 'gui'"
     exit 1

frontend/.npmrc

@@ -0,0 +1,3 @@
+# Pin npm registry — satisfies CSSC CFS0001 (sibling .npmrc required).
+registry=https://registry.npmjs.org/
+legacy-peer-deps=true