ghstshdw
63 lines
1.5 KiB
YAML
63 lines
1.5 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
# Prowler scanner — runs once per scheduled interval then exits
|
|
prowler:
|
|
image: toniblyx/prowler:latest
|
|
volumes:
|
|
- ./output:/output
|
|
- ./config:/config:ro
|
|
environment:
|
|
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
|
|
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
|
|
- AWS_DEFAULT_REGION=us-east-1
|
|
command: >
|
|
aws
|
|
--output-formats csv
|
|
--output-directory /output
|
|
--config-file /config/prowler-config.yaml
|
|
restart: unless-stopped
|
|
networks:
|
|
- prowler-net
|
|
mem_limit: 4096m
|
|
cpus: 2
|
|
|
|
# Findings consumer — watches output dir and populates SQLite DB
|
|
consumer:
|
|
build:
|
|
context: ./consumer
|
|
dockerfile: Dockerfile
|
|
volumes:
|
|
- ./output:/output
|
|
- ./consumer:/app
|
|
env_file:
|
|
- .env
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- prowler
|
|
networks:
|
|
- prowler-net
|
|
command: python prowler_consumer.py --daemon --poll-interval 30 --dry-run
|
|
|
|
# Remediation daemon — applies fixes from action queue
|
|
remediator:
|
|
build:
|
|
context: ./consumer
|
|
dockerfile: Dockerfile
|
|
volumes:
|
|
- ~/.aws:/root/.aws:ro
|
|
- ./consumer:/app
|
|
env_file:
|
|
- .env
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- consumer
|
|
networks:
|
|
- prowler-net
|
|
# Default: dry-run mode. Use --apply flag in overrides for production.
|
|
command: python /app/remediation_service/remediation_daemon.py --dry-run --poll-interval 60
|
|
|
|
networks:
|
|
prowler-net:
|
|
driver: bridge
|