-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathDockerfile.complete
More file actions
177 lines (152 loc) · 7.9 KB
/
Dockerfile.complete
File metadata and controls
177 lines (152 loc) · 7.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
FROM python:3.11-slim-bookworm
LABEL org.opencontainers.image.title="Argus Security - Complete Scanner"
LABEL org.opencontainers.image.description="Enterprise AI Security Platform with 6-phase pipeline: SAST, CVE scanning, IaC security, secrets detection, AI triage, and sandbox validation"
LABEL org.opencontainers.image.vendor="Argus Security"
# Install system dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
wget \
ca-certificates \
gnupg \
build-essential \
&& rm -rf /var/lib/apt/lists/*
# Install Trivy
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg && \
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee /etc/apt/sources.list.d/trivy.list && \
apt-get update && \
apt-get install -y trivy && \
rm -rf /var/lib/apt/lists/*
# Install TruffleHog — pinned with SHA256 verification
RUN TRUFFLEHOG_VERSION="3.88.0" && \
TRUFFLEHOG_SHA256="92764b90a07a947b5f0a4b8c06c37e9485dcdd7c4f456b35e3a5ee48e9b66efa" && \
curl -sSfL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" \
-o /tmp/trufflehog.tar.gz && \
echo "${TRUFFLEHOG_SHA256} /tmp/trufflehog.tar.gz" | sha256sum --check && \
tar xz -C /usr/local/bin trufflehog -f /tmp/trufflehog.tar.gz && \
rm /tmp/trufflehog.tar.gz && \
chmod +x /usr/local/bin/trufflehog
# Install Gitleaks (secret scanner) — pinned with SHA256 verification
RUN GITLEAKS_VERSION="8.18.4" && \
GITLEAKS_SHA256="ba6dbb656933921c775ee5a2d1c13a91046e7952e9d919f9bac4cec61d628e7d" && \
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
-o /tmp/gitleaks.tar.gz && \
echo "${GITLEAKS_SHA256} /tmp/gitleaks.tar.gz" | sha256sum --check && \
tar xz -C /usr/local/bin gitleaks -f /tmp/gitleaks.tar.gz && \
rm /tmp/gitleaks.tar.gz && \
chmod +x /usr/local/bin/gitleaks
# Install unzip (required for Nuclei)
RUN apt-get update && apt-get install -y --no-install-recommends \
unzip \
&& rm -rf /var/lib/apt/lists/*
# Install Nuclei (for DAST) — pinned with SHA256 verification
RUN NUCLEI_VERSION="3.1.0" && \
NUCLEI_SHA256="0a8b27f6302e41b9daf9ebc7892f0c8fe6a893987d1fcb5313879dbc3e145d3c" && \
wget -q "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip" -O /tmp/nuclei.zip && \
echo "${NUCLEI_SHA256} /tmp/nuclei.zip" | sha256sum --check && \
unzip /tmp/nuclei.zip -d /usr/local/bin && \
rm /tmp/nuclei.zip && \
chmod +x /usr/local/bin/nuclei && \
nuclei -update-templates || true
# Install OPA (for policy gates) — pinned with SHA256 verification
RUN OPA_VERSION="1.13.1" && \
OPA_SHA256="b6c96dbcaf9c1c03e95c326b9cdffc4f931bf6ac0ec93b3b98c1bac9deba93de" && \
wget -q "https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_amd64_static" -O /tmp/opa && \
echo "${OPA_SHA256} /tmp/opa" | sha256sum --check && \
mv /tmp/opa /usr/local/bin/opa && \
chmod +x /usr/local/bin/opa
# ZAP (OWASP Zed Attack Proxy) for DAST scanning
RUN apt-get update && apt-get install -y --no-install-recommends \
openjdk-17-jre-headless \
&& rm -rf /var/lib/apt/lists/*
RUN ZAP_VERSION="2.16.0" && \
ZAP_SHA256="a0779509e702ec53d41074eaa0ce41f2a964a822aa5be0380255a482e2e7fe8d" && \
wget -q "https://github.com/zaproxy/zaproxy/releases/download/v${ZAP_VERSION}/ZAP_${ZAP_VERSION}_Linux.tar.gz" -O /tmp/zap.tar.gz && \
echo "${ZAP_SHA256} /tmp/zap.tar.gz" | sha256sum --check && \
mkdir -p /opt/zap && \
tar -xzf /tmp/zap.tar.gz -C /opt/zap --strip-components=1 && \
rm /tmp/zap.tar.gz && \
ln -s /opt/zap/zap.sh /usr/local/bin/zap-cli
# Falco for runtime security monitoring (opt-in via build arg)
ARG INSTALL_FALCO=true
RUN if [ "$INSTALL_FALCO" = "true" ]; then \
echo "=== Installing Falco ===" \
&& curl -fsSL https://falco.org/repo/falcosecurity-packages.asc \
| gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" \
| tee /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update \
&& FALCO_FRONTEND=noninteractive apt-get install -y --no-install-recommends falco \
&& rm -rf /var/lib/apt/lists/* \
&& falco --version \
&& echo "=== Falco installed successfully ===" \
|| { echo "ERROR: Falco installation failed (non-fatal) — runtime monitoring will be unavailable"; \
echo " Diagnostics:"; \
echo " - GPG keyring exists: $(test -f /usr/share/keyrings/falco-archive-keyring.gpg && echo yes || echo no)"; \
echo " - Apt source exists: $(test -f /etc/apt/sources.list.d/falcosecurity.list && echo yes || echo no)"; \
echo " - falco binary: $(which falco 2>/dev/null || echo 'not found')"; \
rm -rf /var/lib/apt/lists/*; }; \
else \
echo "Skipping Falco installation (INSTALL_FALCO=$INSTALL_FALCO)"; \
fi
# Set Python environment variables + use /var/tmp for large temp files (Trivy DB, Checkov)
# /tmp in containers is often a small overlay; /var/tmp persists and has more space
ENV PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1 \
PIP_NO_CACHE_DIR=1 \
PYTHONPATH=/app \
TMPDIR=/var/tmp
WORKDIR /app
# Copy Python dependencies
COPY requirements.txt .
# Install Python packages including all scanners
RUN pip install --no-cache-dir -r requirements.txt && \
pip install --no-cache-dir \
semgrep \
checkov \
pytm \
anthropic \
openai \
tenacity \
pyyaml \
requests \
rich \
networkx
# Copy application code
COPY scripts/ ./scripts/
COPY policy/ ./policy/
COPY profiles/ ./profiles/
COPY schemas/ ./schemas/
COPY config/ ./config/
# Install Docker CLI for Phase 4 sandbox validation (Docker-in-Docker via socket mount).
# Only the CLI is needed — the Docker daemon runs on the host.
RUN DOCKER_VERSION="27.4.1" && \
DOCKER_SHA256="9dc39fa726db525f22bd6861308a09f6c31a14de3e512ba1576a329b833798f5" && \
curl -fsSL "https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz" \
-o /tmp/docker.tgz && \
echo "${DOCKER_SHA256} /tmp/docker.tgz" | sha256sum --check && \
tar -xz --strip-components=1 -C /usr/local/bin docker/docker -f /tmp/docker.tgz && \
rm /tmp/docker.tgz
# Create non-root user with docker group access for sandbox validation.
# The GID 999 is a placeholder — at runtime the actual host Docker socket GID
# must be passed via `docker run --group-add <HOST_DOCKER_GID>` so the
# container user can access /var/run/docker.sock. See deploy-docker skill.
RUN groupadd -r -g 999 docker || true && \
groupadd -r agentuser && \
useradd -r -g agentuser -G docker -u 1000 -m agentuser
# Create workspace, output, and temp directories with proper permissions
RUN mkdir -p /workspace /output /var/tmp /home/agentuser/.semgrep && \
chmod 755 /workspace /output && \
chmod 1777 /var/tmp && \
chown -R agentuser:agentuser /app /workspace /output /home/agentuser
# Initialize Trivy database (use /var/tmp to avoid /tmp space issues)
RUN TMPDIR=/var/tmp trivy image --download-db-only || true
WORKDIR /workspace
# Switch to non-root user for security
USER agentuser
# Set entrypoint to hybrid_analyzer.py for complete 6-phase pipeline with all phases
ENTRYPOINT ["python", "/app/scripts/hybrid_analyzer.py"]
HEALTHCHECK --interval=60s --timeout=10s --start-period=5s --retries=3 \
CMD python -c "import sys; sys.path.insert(0,'/app/scripts'); import hybrid_analyzer; print('ok')" || exit 1
# Default: show help
CMD ["--help"]