Using Docker - Demisto SDK Guide - Cortex - Security Operations

Demisto SDK Guide

Creation date
2023-08-01
Last date published
2024-10-28
Category
Demisto SDK Guide
Abstract

Use Docker to run Python scripts and integrations in a controlled environment.

Docker is a tool used by developers to package together dependencies into an image. Therefore, you are not required to run pip install to install all the required packages to use your integration. They are part of a image and the image contains all of the libraries you need. See the Docker site for more information.

Script/integration configuration

When creating a script within the IDE, you can specify the Docker image to use, within the script settings. If you don't specify a Docker image, a default Docker image using Python 3.9 is used. 

The selected Docker image is configured in the script/integration YAML file under the dockerimage key. See Integration metadata YAML file.Integration metadata YAML file

Updating Docker images automatically via pull request

Every integration/script that utilizes either demisto/python or demisto/python3 Docker images is updated automatically whenever a newer tag is available. This happens via an automatic recurring job that updates the Docker image of the content item by a pull request in the content Git repository. The pack is then distributed in Marketplace.

Enabling/disabling Docker image automatic update

If your integration/script does not use either demisto/python or demisto/python3 Docker images, you can still update it automatically by adding the autoUpdateDockerImagekey to the YAML file. For example, the following will update the integration MyIntegration docker image:

commonfields:
  id: MyIntegration
  version: -1
name: MyIntegration
display: MyIntegration
script:
 dockerimage: demisto/oauthlib:1.0.0.16907
autoUpdateDockerImage: true

If your integration/script uses either demisto/python or demisto/python3 Docker images and you don't want to automatically update it, you can set the autoUpdateDockerImage field to false.

autoUpdateDockerImage: false

Docker images

Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via DockerHub under the Demisto organization. The Docker image creation process is managed via Dockerfiles repository. Before trying to create a new Docker image, check if there is one available already. You can search  https://github.com/demisto/dockerfiles-info/blob/master/used_packages.csv  which is updated nightly with image metadata and the os/python packages used in the images. To create a custom Docker image to use in your integration or script, follow the Contributing section.

Important

For security reasons, we cannot accept images which are not part of the Docker hub Palo Alto Networks organization.

When modifying an existing Docker image, to ensure the change will not disrupt other integrations that use that same package, all Docker images are created with a unique immutable version tag that cannot be overriden.

Package requirements

Considerations when choosing a package to be used in an integration:

  • Does the package have known security issues?

  • Is the package licensed? If so, what type of license is being used?

You must perform due diligence on packages you choose to use. This includes verifying the package name is correct. For example, in the past, scans of PyPI resulted in the detection of 11 "typo-squatted" packages which were found to be malicious.

Licensing

The content repository is produced with an MIT (Massachusetts Institute of Technology) license, which means that we use only packages that have a license compatible with the MIT license. As a rule, we only use permissive licenses. For a complete list of OSS licenses and their types see: https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses.

Note

Other licenses may be permitted with specific approval.

Add files to the dockerfiles repository

In most cases, if your integration is for public release, you need to push Docker files into the dockerfiles repository located here. Pushing into this repository adds the image (after an approval process) to the Docker hub Palo Alto Networks organization. See the README.md for details.