Use Docker to run Python scripts and integrations in a controlled environment.
Docker is a tool used by developers to package together dependencies into an image. Therefore, you are not required to run pip install to install all the required packages to use your integration. They are part of a image and the image contains all of the libraries you need. See the Docker site for more information.
Script/integration configuration
When creating a script within the IDE, you can specify the Docker image to use, within the script settings. If you don't specify a Docker image, a default Docker image using Python 3.9 is used.
The selected Docker image is configured in the script/integration YAML file under the dockerimage
key. See Integration metadata YAML file.
Updating Docker images automatically via pull request
Every integration/script that utilizes either demisto/python
or demisto/python3
Docker images is updated automatically whenever a newer tag is available. This happens via an automatic recurring job that updates the Docker image of the content item by a pull request in the content Git repository. The pack is then distributed in Marketplace.
Enabling/disabling Docker image automatic update
If your integration/script does not use either demisto/python
or demisto/python3
Docker images, you can still update it automatically by adding the autoUpdateDockerImagekey
to the YAML file. For example, the following will update the integration MyIntegration
docker image:
commonfields: id: MyIntegration version: -1 name: MyIntegration display: MyIntegration script: dockerimage: demisto/oauthlib:1.0.0.16907 autoUpdateDockerImage: true
If your integration/script uses either demisto/python
or demisto/python3
Docker images and you don't want to automatically update it, you can set the autoUpdateDockerImage
field to false.
autoUpdateDockerImage: false
Docker images
Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via DockerHub under the Demisto organization. The Docker image creation process is managed via Dockerfiles repository. Before trying to create a new Docker image, check if there is one available already. You can search https://github.com/demisto/dockerfiles-info/blob/master/used_packages.csv which is updated nightly with image metadata and the os/python
packages used in the images. To create a custom Docker image to use in your integration or script, follow the Contributing section.
Important
For security reasons, we cannot accept images which are not part of the Docker hub Palo Alto Networks organization.
When modifying an existing Docker image, to ensure the change will not disrupt other integrations that use that same package, all Docker images are created with a unique immutable version tag that cannot be overriden.
Package requirements
Considerations when choosing a package to be used in an integration:
Does the package have known security issues?
Is the package licensed? If so, what type of license is being used?
You must perform due diligence on packages you choose to use. This includes verifying the package name is correct. For example, in the past, scans of PyPI resulted in the detection of 11 "typo-squatted" packages which were found to be malicious.
Licensing
The content repository is produced with an MIT (Massachusetts Institute of Technology) license, which means that we use only packages that have a license compatible with the MIT license. As a rule, we only use permissive
licenses. For a complete list of OSS licenses and their types see: https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses.
Note
Other licenses may be permitted with specific approval.
Add files to the dockerfiles repository
In most cases, if your integration is for public release, you need to push Docker files into the dockerfiles
repository located here. Pushing into this repository adds the image (after an approval process) to the Docker hub Palo Alto Networks organization. See the README.md for details.