How to run CxSAST Engine with Docker
Prerequisites:
Docker engine installation (Linux) or Docker Desktop (Windows or Mac). Docker documentation
Docker-Compose appropriate for the host OS. Docker-Compose documentation
How to:
Verify that your environment has an installation of Docker and Docker-Compose specific to your host’s OS.
Copy the following files to a directory of your choice.
container-up.sh
container-down.sh
docker-compose-activemq.yml
If you are running Docker on a Linux host, ‘sh’ scripts have been provided for easy configuration. Otherwise, you’ll only need the ‘yml’ file with minor configurations.
Edit and insert environment-specific configuration to “container-up.sh” (Linux host only) or
“docker-compose-activemq.yml” (any host OS). Configuration is further detailed in the appropriate section below.
Launch the container using ./container-up.sh (Linux host only) or
“
docker-compose -f docker-compose-activemq.yml up -d
“ (any host OS)Note: If you are using the shell script, make sure it has execute permissions (chmod +x container-up.sh)
When the container is up and running successfully in “detached” mode, it is possible to go into the running container with an interactive shell using: “
docker exec -it cx-engine-service bash
“To shut the container down, use ./container-down.sh or
”
docker-compose -f docker-compose-activemq.yml down
”
Notice
For internal artifactory users
Please follow https://checkmarx.atlassian.net/wiki/pages/createpage.action?spaceKey=SAST&title=Docker%20daemon to add the internal artifactory as an allowed insecure registry.
Configuration:
Before launching the container, configurations need to be set to reflect the specific environment with which it is intended to communicate. Currently, this is done manually by editing either “container-up.sh“ (recommended for Linux hosts) or “docker-compose-activemq.yml.“
Important: only the environment variables listed in the ‘yml’ file are those that are used by Engine Service. The environment variables in the shell ‘sh’ files are used only for the setup. This means that if you wish to change the environment variables on a running container, look for them by name using the link above or by looking up their keys in the ‘yml’ file.
Breakdown of the values in the example above:
Environment contains an All-In-One installation on a Laptop windows machine with IP 10.31.100.252
A CentOS Linux VM which will be the host of the dockerized Engine Service with IP 10.32.2.61
This instance of Engine Service will use the message queue, so
MESSAGE_QUEUE_DISABLE
key is emptyMQ_PASSWORD
is the encrypted password for the ActiveMQ instance installed on a remote machineMQ_URL_WITH_PORT
is the IP and port of the installed ActiveMQ used by the entire solutionAccess_Control_URL
is the IP where Access Control is installed. It will be used for authorization and authentication.ENGINE_SERVICE_API_URL_WITH_PORT
is the IP of the Linux VM and the exposed port which is bridged to the running container’s Engine Service portENGINE_VERSION
is used for informational and display purposes in the New Queue Management flowPUBLISHING_METHOD
was configured to send results to the MQ just like an All-In-One default engineENABLED_QUEUES
was configured to use all queue options
Unless a fine tuned environment is needed or result files need to stay in the Engine container’s volume, it is suggested to use the values above.
In a Windows or Mac hosting environment, edit the ‘yml’ file directly rather than the Linux specific Shell script. Use the same values as described in the Shell example as the values for the key-value pairs under the “environment:” tag