CyfroAgent

Multi Container Scanning (Apps, Services)

CyfroAgent can perform scans on containerized webapps and services if they are in the same Docker network and have a shared volume to scan files for fingerprinting.

Prerequisites

1One or more application containers are already running
2Docker is installed and accessible
3You have a valid CyfroAgent token

Architecture

Docker Network

[ Application Containers ]
   |-- expose services (e.g., 80, 8080)
   |-- optionally write scanable files

[ Shared Volume ]
   |-- stores code/dependency/configuration files

[ CyfroAgent Container ]
   |-- performs network scans
   |-- performs filesystem scans via mounted volume

Network Configuration

CyfroAgent must run on the same Docker network as the application containers.

Identify Existing Network

docker inspect <container_name> --format '{{json .NetworkSettings.Networks}}'

Example output:

{
  "sample-webapp_default": {}
}

Create Network (if required)

If your containers are not already on a shared network:

docker network create cyfro-network

Attach containers:

docker network connect cyfro-network <container_name>

Note: The CyfroAgent has to be part of the network that you wish to scan. Please connect it to the network(s) where your desired containers are already present.

Shared Volume Configuration

Filesystem scanning requires a shared volume accessible by both the application container with write access and CyfroAgent with read-only access.

Create Volume

docker volume create webapp_scan_export

Place the necessary files in the shared volume.

Mount Volume in Application Container

If using docker run:

docker run -d \
  --name <app_container> \
  --network <network_name> \
  -v webapp_scan_export:/opt/demo-data \
  <image>

If using docker-compose:

services:
  app:
    image: <image>
    volumes:
      - webapp_scan_export:/opt/demo-data

volumes:
  webapp_scan_export:

Deploying CyfroAgent

Run CyfroAgent with network access to application containers and read-only access to the shared volume.

docker run -d \
  --name cyfro-agent \
  --network <network_name> \
  --cap-add NET_RAW \
  -v cyfro-agent-data:/data/agent \
  -v webapp_scan_export:/scan-target:ro \
  cyfrosec/cyfro-agent:latest \
  --agentName "Agent1" \
  --token "<TOKEN>" \
  --location "Docker"

Verification

Verify Volume Mount

docker exec -it cyfro-agent ls /scan-target

Compare with:

docker exec -it <app_container> ls /opt/demo-data

Verify Network Connectivity

docker exec -it cyfro-agent sh

Then:

ping <app_container_name>

Determining Scan Targets

Identify the subnet that can be provided when scans are set up in the Scans Setup page.

docker network inspect <network_name>

Example:

"Subnet": "172.22.0.0/16"