appsec-threat-emulation/docker-compose.yaml.all-dd-sec at main · DataDog/appsec-threat-emulation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# NOTE: this alternative configuration enables all Datadog security features
version: "3.9"
services:
  agent:
    image: "gcr.io/datadoghq/agent:latest"
    pid: host
    security_opt:
      - apparmor:unconfined
    cap_add:
      - SYS_ADMIN
      - SYS_RESOURCE
      - SYS_PTRACE
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW
      - IPC_LOCK
      - CHOWN
    environment:
      - DD_API_KEY=${DD_API_KEY}
      - DD_SITE=${DD_SITE:-datadoghq.com}
      - DD_ENV=${DD_ENV:-threat-emulation-local}
      - DD_APM_NON_LOCAL_TRAFFIC=true
      - DD_LOGS_ENABLED=true
      - DD_APM_ENABLED=true
      - DD_PROCESS_CONFIG_PROCESS_COLLECTION_ENABLED=true
      - DD_REMOTE_CONFIGURATION_ENABLED=true
      # Sec
      - DD_COMPLIANCE_CONFIG_ENABLED=true
      - DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED=true
      - DD_IAST_ENABLED=true
      - DD_APPSEC_ENABLED=true
      - DD_SBOM_ENABLED=true
      - DD_CONTAINER_IMAGE_ENABLED=true
      - DD_SBOM_CONTAINER_IMAGE_ENABLED=true
      # Workload Sec
      - DD_RUNTIME_SECURITY_CONFIG_ENABLED=true
      - DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED=true
      - DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED=true
      - DD_RUNTIME_SECURITY_CONFIG_SECURITY_PROFILE_AUTO_SUPPRESSION_ENABLED=false
      - DD_RUNTIME_SECURITY_CONFIG_ACTIVITY_DUMP_AUTO_SUPPRESSION_ENABLED=false
      - HOST_ROOT=/host/root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /proc/:/host/proc/:ro
      - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
      - /etc/passwd:/etc/passwd:ro
      - /etc/group:/etc/group:ro
      - /:/host/root:ro
      - /sys/kernel/debug:/sys/kernel/debug
      - /etc/os-release:/etc/os-release


  juiceshop:
    image: mdorn/juice-shop-dd
    environment:
      - DD_AGENT_HOST=agent
      - DD_TRACE_AGENT_PORT=8126
      - DD_TRACER_ENABLED=true
      - DD_SERVICE=${DD_SERVICE:-appsec-threat-emulation}
      - DD_TRACE_DEBUG=true
      - DD_LOGS_INJECTION=true
      - DD_APPSEC_ENABLED=true
      - DD_IAST_ENABLED=true
      - DD_APPSEC_SCA_ENABLED=true

    depends_on:
      db:
        condition: service_healthy
      agent:
        condition: service_healthy
    ports:
       - 8081:3000
  db:
    image: mysql:8.0
    platform: linux/amd64
    # NOTE: use of "mysql_native_password" is not recommended: https://dev.mysql.com/doc/refman/8.0/en/upgrading-from-previous-series.html#upgrade-caching-sha2-password
    # (this is just an example, not intended to be a production configuration)
    command: --default-authentication-plugin=mysql_native_password
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: wingsuit
      MYSQL_DATABASE: juiceshop
      MYSQL_USER: juiceshop
      MYSQL_PASSWORD: juiceshop-pwd
    healthcheck:
      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
      timeout: 2s
      retries: 10
  cli:
    build:
      context: cli
      dockerfile: Dockerfile
    tty: true
    container_name: appsec-threat-emulation
networks:
  default:
    name: appsec-threat-emulation-network
    # external: true