mirror of
https://github.com/KeygraphHQ/shannon.git
synced 2026-02-12 17:22:50 +00:00
1a51adb0a5
Deliverables saved by agents were never committed to git because git identity was not configured in the Docker container. This left them as untracked files, which git clean -fd destroyed whenever another agent's retry triggered a workspace rollback. Moves git config after ENV HOME=/tmp so the config is written to /tmp/.gitconfig where git actually looks at runtime.
160 lines
4.3 KiB
Docker
160 lines
4.3 KiB
Docker
#
|
|
# Multi-stage Dockerfile for Pentest Agent
|
|
# Uses Chainguard Wolfi for minimal attack surface and supply chain security
|
|
|
|
# Builder stage - Install tools and dependencies
|
|
FROM cgr.dev/chainguard/wolfi-base:latest AS builder
|
|
|
|
# Install system dependencies available in Wolfi
|
|
RUN apk update && apk add --no-cache \
|
|
# Core build tools
|
|
build-base \
|
|
git \
|
|
curl \
|
|
wget \
|
|
ca-certificates \
|
|
# Network libraries for Go tools
|
|
libpcap-dev \
|
|
linux-headers \
|
|
# Language runtimes
|
|
go \
|
|
nodejs-22 \
|
|
npm \
|
|
python3 \
|
|
py3-pip \
|
|
ruby \
|
|
ruby-dev \
|
|
# Security tools available in Wolfi
|
|
nmap \
|
|
# Additional utilities
|
|
bash
|
|
|
|
# Set environment variables for Go
|
|
ENV GOPATH=/go
|
|
ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
|
|
ENV CGO_ENABLED=1
|
|
|
|
# Create directories
|
|
RUN mkdir -p $GOPATH/bin
|
|
|
|
# Install Go-based security tools
|
|
RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
|
|
# Install WhatWeb from GitHub (Ruby-based tool)
|
|
RUN git clone --depth 1 https://github.com/urbanadventurer/WhatWeb.git /opt/whatweb && \
|
|
chmod +x /opt/whatweb/whatweb && \
|
|
gem install addressable && \
|
|
echo '#!/bin/bash' > /usr/local/bin/whatweb && \
|
|
echo 'cd /opt/whatweb && exec ./whatweb "$@"' >> /usr/local/bin/whatweb && \
|
|
chmod +x /usr/local/bin/whatweb
|
|
|
|
# Install Python-based tools
|
|
RUN pip3 install --no-cache-dir schemathesis
|
|
|
|
# Runtime stage - Minimal production image
|
|
FROM cgr.dev/chainguard/wolfi-base:latest AS runtime
|
|
|
|
# Install only runtime dependencies
|
|
USER root
|
|
RUN apk update && apk add --no-cache \
|
|
# Core utilities
|
|
git \
|
|
bash \
|
|
curl \
|
|
ca-certificates \
|
|
# Network libraries (runtime)
|
|
libpcap \
|
|
# Security tools
|
|
nmap \
|
|
# Language runtimes (minimal)
|
|
nodejs-22 \
|
|
npm \
|
|
python3 \
|
|
ruby \
|
|
# Chromium browser and dependencies for Playwright
|
|
chromium \
|
|
# Additional libraries Chromium needs
|
|
nss \
|
|
freetype \
|
|
harfbuzz \
|
|
# X11 libraries for headless browser
|
|
libx11 \
|
|
libxcomposite \
|
|
libxdamage \
|
|
libxext \
|
|
libxfixes \
|
|
libxrandr \
|
|
mesa-gbm \
|
|
# Font rendering
|
|
fontconfig
|
|
|
|
# Copy Go binaries from builder
|
|
COPY --from=builder /go/bin/subfinder /usr/local/bin/
|
|
|
|
# Copy WhatWeb from builder
|
|
COPY --from=builder /opt/whatweb /opt/whatweb
|
|
COPY --from=builder /usr/local/bin/whatweb /usr/local/bin/whatweb
|
|
|
|
# Install WhatWeb Ruby dependencies in runtime stage
|
|
RUN gem install addressable
|
|
|
|
# Copy Python packages from builder
|
|
COPY --from=builder /usr/lib/python3.*/site-packages /usr/lib/python3.12/site-packages
|
|
COPY --from=builder /usr/bin/schemathesis /usr/bin/
|
|
|
|
# Create non-root user for security
|
|
RUN addgroup -g 1001 pentest && \
|
|
adduser -u 1001 -G pentest -s /bin/bash -D pentest
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Copy package files first for better caching
|
|
COPY package*.json ./
|
|
COPY mcp-server/package*.json ./mcp-server/
|
|
|
|
# Install Node.js dependencies (including devDependencies for TypeScript build)
|
|
RUN npm ci && \
|
|
cd mcp-server && npm ci && cd .. && \
|
|
npm cache clean --force
|
|
|
|
# Copy application source code
|
|
COPY . .
|
|
|
|
# Build TypeScript (mcp-server first, then main project)
|
|
RUN cd mcp-server && npm run build && cd .. && npm run build
|
|
|
|
# Remove devDependencies after build to reduce image size
|
|
RUN npm prune --production && \
|
|
cd mcp-server && npm prune --production
|
|
|
|
# Create directories for session data and ensure proper permissions
|
|
RUN mkdir -p /app/sessions /app/deliverables /app/repos /app/configs && \
|
|
mkdir -p /tmp/.cache /tmp/.config /tmp/.npm && \
|
|
chmod 777 /app && \
|
|
chmod 777 /tmp/.cache && \
|
|
chmod 777 /tmp/.config && \
|
|
chmod 777 /tmp/.npm && \
|
|
chown -R pentest:pentest /app
|
|
|
|
# Switch to non-root user
|
|
USER pentest
|
|
|
|
# Set environment variables
|
|
ENV NODE_ENV=production
|
|
ENV PATH="/usr/local/bin:$PATH"
|
|
ENV SHANNON_DOCKER=true
|
|
ENV PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
|
|
ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
|
|
ENV npm_config_cache=/tmp/.npm
|
|
ENV HOME=/tmp
|
|
ENV XDG_CACHE_HOME=/tmp/.cache
|
|
ENV XDG_CONFIG_HOME=/tmp/.config
|
|
|
|
# Configure Git identity and trust all directories
|
|
RUN git config --global user.email "agent@localhost" && \
|
|
git config --global user.name "Pentest Agent" && \
|
|
git config --global --add safe.directory '*'
|
|
|
|
# Set entrypoint
|
|
ENTRYPOINT ["node", "dist/shannon.js"]
|