Dynamic Engines - Using Docker

You can create and destroy dynamic engines using Docker containers or VMs in all cloud networks.

Engines can be created to be dedicated for each single scan, for some of the scans (for example, only for specific LOC ranges), or depending on the system status.

The following example shows how to create a Docker container engine for each scan and destroy it after it is finished, canceled, or failed.

It illustrates using Docker in SAST scans and includes three recently developed features you can find more information about here:

Prerequisites

The following prerequisites are required for running this example on Windows:

WSL must be configured on Windows
Docker Desktop for Windows is installed
Docker Engine is configured for your DNS server to be able to resolve hostnames in your network
WSL is enabled in Docker Settings
SAST AIO is installed locally (HA and other modes should be possible with minor changes)

Setting up the Environment

Download cxsast-engine-server-docker-image (cx-engine-server.tar)
Copy the engine image to WSL (e.g. \wsl.localhost\Ubuntu\home\<userName>\checkmarx\cx-sast-linux-server)
Make sure Docker Desktop is running
Open WSL (Ubuntu console) and run the docker load command
- docker load < ./checkmarx/cx-sast-linux-server/cx-engine-server.tar
Make sure the image has been loaded in Docker Desktop

Configuring SAST

In the General Settings page, set the engineStart.bat to Scan Enqueued Script’ and engineCleanup.bat to Scan Dequeued Script.

Configuring these scripts will instruct SAST to run them for every scan created or completed. You have control over whether the scan will be run on a dedicated engine or not via the script return codes (see Scan Enqueued and Dequeued Custom Scripts for Dynamic Engines).

Below you can find the script files used in this example.

engineStart.bat

@echo off
cd /D "%~dp0"
Powershell.exe -File engineStart.ps1 %*
EXIT /B %ERRORLEVEL%

engineStart.ps1

(Configured only to start a dedicated engine for scans of LOC not greater than 1000).

# parse the script parameters (e.g. -loc, -accessControlUrl, etc.)
param ($scanId, $loc, $accessControlUrl, $messageQueueType, $activeMessageQueueURL, $messageQueueUsername, $messageQueuePassword)

function ExitWithCode
{
    param($pExitCode)

    if ($Host.Name -eq "ConsoleHost")
    {
        #running from the command-line - exit the script
       $host.SetShouldExit($pExitCode)
    }
    else
    {
        #since we are running from PowerShell ISE, just stop the execution
        Stop-Transcript
    }

    Exit $pExitCode
}

Function Get-RandomPort
{
    return Get-Random -Max 32767 -Min 10001;
}

Function Test-PortInUse
{
    Param(
        [Parameter(Mandatory=$true)]
        [Int] $portToTest
    );
    $count = netstat -aon | find `":$portToTest `" /c;
    return [bool]($count -gt 0);
}

Function Get-RandomUsablePort
{
    Param(
        [Int] $maxTries = 100
    );
    $result = -1;
    $tries = 0;
    DO
    {
        $randomPort = Get-RandomPort;
        if (-Not (Test-PortInUse($randomPort)))
        {
            $result = $randomPort;
        }
        $tries += 1;
    } While (($result -lt 0) -and ($tries -lt $maxTries));
    return $result;
}

$parsedLoc = [int]$loc

# handle only scans with LOC not greater than 1000
if ($parsedLoc -gt 1000) {
    # exit with code 0 to instruct SAST application that this scan should be queued as usual for any available public engine
    ExitWithCode 0
}

# configure a unique name for this container, to be able to later terminate it in the cleanup script
$containerName = "cx-engine-scan-${scanId}"
# get a random free port to serve the container in
$port = Get-RandomUsablePort(100)
# define the map that will expose the engine's container port (8088) to the serve port on host
$portMap = "0.0.0.0:${port}:8088"
# get the host's fqdn
$fqdn = [System.Net.Dns]::GetHostByName($env:computerName).HostName
# define the engine's container endpoint
$engineEndpoint = "http://${fqdn}:8088"
# define the engine configuration to automatically register itself, while its only dedicated for the specific scan
$engineConfig = "{ 'Uri': 'http://${fqdn}:${port}/', 'Name': 'docker ${scanId}', 'MinLoc': ${loc}, 'MaxLoc': ${loc}, 'MaxScans': 1, 'Dedications': [{ 'ItemType': 0, 'ItemId': ${scanId} }] }"
# name for this container's volume
$volumeName = "cx-${scanId}"
# define the log path in host
$logPath = "./${volumeName}:/var/checkmarx"

# run the container
docker run -d `
--name ${containerName} `
--env CX_ES_MESSAGE_QUEUE_USERNAME=$messageQueueUsername `
--env CX_ES_MESSAGE_QUEUE_PASSWORD=$messageQueuePassword `
--env CX_ES_MESSAGE_QUEUE_URL=$activeMessageQueueURL `
--env CX_ES_ACCESS_CONTROL_URL=$accessControlUrl `
--env CX_ENGINE_MESSAGE_QUEUE_TYPE=$messageQueueType `
--env CX_ES_END_POINT=$engineEndpoint `
--env CX_ENGINE_REGISTRATION_CONFIG=$engineConfig `
-p $portMap `
-v $logPath `
cx-engine-server

# exiting with code 1 instructs SAST application that this scan should wait for the dedicated engine to own it, and should not be owned by any other engine
ExitWithCode 1

# possible return codes:
#   0: Scan should be queued to any publicly available engine
#   1: Scan has a dedicated engine and should wait for it 
#   500: Startup script has failed with critical error, the associated scan will fail as well
#   X: Startup script has failed, SAST application will retry upto 3 times and eventually the associated scan will fail as well

engineCleanup.bat:

@echo off
cd /D "%~dp0"
Powershell.exe -File engineCleanup.ps1 %*
EXIT /B %ERRORLEVEL%

engineCleanup.ps1:

# parse the script parameters (e.g. -scanId, etc)
param ($scanId, $engineUrl)

function ExitWithCode
{
    param($pExitCode)

    if ($Host.Name -eq "ConsoleHost")
    {
        #running from the command line - exit the script
       $host.SetShouldExit($pExitCode)
    }
    else
    {
        #since we are running from PowerShell ISE, just stop the execution
        Stop-Transcript
    }

    Exit $pExitCode
}

# name for this container, as was specified in the startup script
$containerName = "cx-engine-scan-${scanId}"

# name for this container's volume, as was specified in the startup script
$volumeName = "cx-${scanId}"

# stop and remove the container
docker rm -f $containerName

# remove the container's volume
docker volume rm -f $volumeName

# exiting with code 1 instructs the SAST application that the engine associated with this scan should be unregistered
ExitWithCode 1

# possible return codes:
#   0: Scan should be queued to any publicly available engine
#   1: Scan has a dedicated engine and should wait for it 
#   500: The cleanup script has failed with a critical error
#   X: Cleanup script has failed; SAST application will retry up to 3 times

Checking Docker Instance and Cleanup

Once everything is configured, ensure the Docker instance is running, and then start a scan.

In this example, only scans with LOC below 1001 would spawn a dedicated engine.

SAST creates an engine instance in Docker where the engine scans and auto-registers the project. After the scan finishes, the spawned engine instance is cleaned up, and the engine is unregistered. The engine scan logs are also available to download.

In this section:

Dynamic Engines - Using Docker

Prerequisites

Setting up the Environment

Configuring SAST

Checking Docker Instance and Cleanup

Search results