Modernize FastAPI template with Azure Functions Python v2, Flex Consumption, and enhanced security

.devcontainer/Dockerfile

@@ -1,6 +1,27 @@
-ARG VARIANT=bullseye
-FROM --platform=amd64 mcr.microsoft.com/devcontainers/python:0-${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/universal:latest
+
+# Copy custom first notice message.
+COPY first-run-notice.txt /tmp/staging/
+RUN sudo mv -f /tmp/staging/first-run-notice.txt /usr/local/etc/vscode-dev-containers/ \
+    && sudo rm -rf /tmp/staging
+
+# Install PowerShell 7.x
+RUN sudo apt-get update \
+    && sudo apt-get install -y wget apt-transport-https software-properties-common \
+    && wget -q https://packages.microsoft.com/config/ubuntu/$(. /etc/os-release && echo $VERSION_ID)/packages-microsoft-prod.deb \
+    && sudo dpkg -i packages-microsoft-prod.deb \
+    && sudo apt-get update \
+    && sudo apt-get install -y powershell
+
+# Install Azure Functions Core Tools
 RUN curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg \
-    && mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg \
-    && sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/debian/$(lsb_release -rs | cut -d'.' -f 1)/prod $(lsb_release -cs) main" > /etc/apt/sources.list.d/dotnetdev.list' \
-    && apt-get update && apt-get install -y azure-functions-core-tools-4
+    && sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg \
+    && sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-$(lsb_release -cs)-prod $(lsb_release -cs) main" > /etc/apt/sources.list.d/dotnetdev.list' \
+    && sudo apt-get update \
+    && sudo apt-get install -y azure-functions-core-tools-4
+
+# Install Azure Developer CLI
+RUN curl -fsSL https://aka.ms/install-azd.sh | bash
+
+# Install mechanical-markdown for quickstart validations
+RUN pip install mechanical-markdown

.devcontainer/devcontainer.json

@@ -1,34 +1,35 @@
 {
-    "name": "FastAPI on Azure Functions",
-    "build": {
-        "dockerfile": "Dockerfile",
-        "args": {
-            "VARIANT": "3.10-bullseye"
-        }
-    },
-    "forwardPorts": [8000, 7071],
+    "name": "Functions Quickstarts Codespace",
+    "dockerFile": "Dockerfile",
     "features": {
-        "ghcr.io/devcontainers/features/node:1": {
-            "version": "16",
-            "nodeGypDependencies": false
-        },
-        "ghcr.io/azure/azure-dev/azd:latest": {}
+      "azure-cli": "latest"
     },
     "customizations": {
-        "vscode": {
-            "extensions": [
-                "ms-azuretools.azure-dev",
-                "ms-azuretools.vscode-bicep",
-                "ms-vscode.vscode-node-azure-pack",
-                "ms-python.python",
-                "ms-azuretools.vscode-azurefunctions"
-            ]
-        }
+      "vscode": {
+        "extensions": [
+          "ms-azuretools.vscode-bicep",
+          "ms-azuretools.vscode-docker",
+          "ms-azuretools.vscode-azurefunctions",
+          "GitHub.copilot",
+          "humao.rest-client"
+        ]
+      }
     },
-    "postCreateCommand": "python3 -m venv .venv",
-    "postAttachCommand": ". .venv/bin/activate",
-    "remoteUser": "vscode",
-    "hostRequirements": {
-        "memory": "8gb"
-    }
-}
+    "mounts": [
+      // Mount docker-in-docker library volume
+      "source=codespaces-linux-var-lib-docker,target=/var/lib/docker,type=volume"
+    ],
+    // Always run image-defined docker-init.sh to enable docker-in-docker
+    "overrideCommand": false,
+    "remoteUser": "codespace",
+    "runArgs": [
+      // Enable ptrace-based debugging for Go in container
+      "--cap-add=SYS_PTRACE",
+      "--security-opt",
+      "seccomp=unconfined",
+
+      // Enable docker-in-docker configuration
+      "--init",
+      "--privileged"
+    ]
+  }

.devcontainer/first-run-notice.txt

@@ -0,0 +1,4 @@
+👋 Welcome to the Functions Codespace! You are on the Functions Quickstarts image.
+It includes everything needed to run through our tutorials and quickstart applications.
+
+📚 Functions docs can be found at: https://learn.microsoft.com/en-us/azure/azure-functions/

.github/workflows/security-scans.yml

@@ -0,0 +1,108 @@
+name: Security Scans
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly scan
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Dependency Review
+      uses: actions/dependency-review-action@v3
+
+  secret-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  python-security:
+    name: Python Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.12'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit[toml] safety
+
+    - name: Run Bandit security linter
+      run: |
+        bandit -r . -f json -o bandit-results.json || true
+
+    - name: Run Safety security scanner
+      run: |
+        safety check --json --output safety-results.json || true
+
+    - name: Upload security scan results
+      uses: actions/upload-artifact@v3
+      if: always()
+      with:
+        name: security-scan-results
+        path: |
+          bandit-results.json
+          safety-results.json