InfraGuard/docker-compose.yml at main · tasnimmizaoui/InfraGuard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
services:
  # InfraGuard security scanner
  infraguard:
    build:
      context: .
      dockerfile: Dockerfile
    image: infraguard:latest
    container_name: infraguard-scanner

    # AWS credentials (use one method)
    environment:
      # AWS region (required)
      - AWS_REGION=${AWS_REGION:-eu-north-1}

      # Optional: Direct credentials (uncomment if not using mounted credentials)
      # - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      # - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}

      # Optional: AWS profile (mount ~/.aws)
      # - AWS_PROFILE=default

      # Optional: InfraGuard configuration
      - INFRAGUARD_S3_BUCKET=${INFRAGUARD_S3_BUCKET:-}
      - INFRAGUARD_SNS_TOPIC_ARN=${INFRAGUARD_SNS_TOPIC_ARN:-}
      - INFRAGUARD_SLACK_WEBHOOK=${INFRAGUARD_SLACK_WEBHOOK:-}
      - INFRAGUARD_LOG_LEVEL=${INFRAGUARD_LOG_LEVEL:-INFO}

    # Mount AWS credentials (Option 2)
    volumes:
      # AWS CLI config (mounted read-only)
      - ~/.aws:/home/infraguard/.aws:ro

      # Mount output directory for scan results
      - ./scan-results:/app/scan-results

    # Override default command
    # Uncomment and modify to run different scans
    # command: check-all --output-file /app/scan-results/findings.json

    # Restart policy
    restart: "no"

    # Network mode
    network_mode: bridge

  # One-time scan service
  scan-all:
    extends: infraguard
    container_name: infraguard-scan-all
    command: check-all --output-file /app/scan-results/findings.json --output-format json
    profiles:
      - scan

  # IAM-only scan
  scan-iam:
    extends: infraguard
    container_name: infraguard-scan-iam
    command: check-iam --output-file /app/scan-results/iam-findings.json --output-format json
    profiles:
      - scan

  # Network-only scan
  scan-network:
    extends: infraguard
    container_name: infraguard-scan-network
    command: check-network --output-file /app/scan-results/network-findings.json --output-format json
    profiles:
      - scan

  # S3-only scan
  scan-s3:
    extends: infraguard
    container_name: infraguard-scan-s3
    command: check-s3 --output-file /app/scan-results/s3-findings.json --output-format json
    profiles:
      - scan

  # Terraform plan scan
  scan-plan:
    extends: infraguard
    container_name: infraguard-scan-plan
    command: scan-plan --plan-file /app/terraform/tfplan.json --output-file /app/scan-results/plan-findings.json
    volumes:
      - ./terraform:/app/terraform:ro
      - ./scan-results:/app/scan-results
    profiles:
      - scan