Using Docker - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2025-02-05
Category
Developer Guide
Abstract

Use Docker to run Python scripts and integrations in a controlled environment.

Docker is a tool used by developers to package together dependencies into an image. Docker enables you to run Python scripts and integrations in a controlled environment, isolated from the server. By packaging libraries and dependencies together, a consistent environment is maintained. You are not required to run pip install to install all the required packages to use your integration. They are part of an image and the image contains all of the libraries you need. See the Docker site for more information.

Script/integration configuration

When creating a script within the Cortex XSIAM IDE, you can specify the Docker image to use, within the script settings. If you don't specify a Docker image, a default Docker image using Python 3.9 is used. 

The selected Docker image is configured in the script/integration YAML file under the dockerimage key. See Integration metadata YAML file.

Updating Docker images automatically via pull request

Every integration/script that utilizes either demisto/python or demisto/python3 Docker images is updated automatically whenever a newer tag is available. This happens via an automatic recurring job that updates the Docker image of the content item by a pull request in the content Git repository. The pack is then distributed in Marketplace.

Enabling/disabling Docker image automatic update

If your integration/script does not use either demisto/python or demisto/python3 Docker images, you can still update it automatically by adding the autoUpdateDockerImagekey to the YAML file. For example, the following will update the integration MyIntegration docker image:

commonfields:
  id: MyIntegration
  version: -1
name: MyIntegration
display: MyIntegration
script:
 dockerimage: demisto/oauthlib:1.0.0.16907
autoUpdateDockerImage: true

If your integration/script uses either demisto/python or demisto/python3 Docker images and you don't want to automatically update it, you can set the autoUpdateDockerImage field to false.

autoUpdateDockerImage: false
Docker images

Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via DockerHub under the Demisto organization. The Docker image creation process is managed via Dockerfiles repository. Before trying to create a new Docker image, check if there is one available already. You can search  https://github.com/demisto/dockerfiles-info/blob/master/used_packages.csv  which is updated nightly with image metadata and the os/python packages used in the images. To create a custom Docker image to use in your integration or script, follow the Contributing section.

Important

For security reasons, we cannot accept images which are not part of the Docker hub Palo Alto Networks organization.

Package requirements

Considerations when choosing a package to be used in an integration:

  • Does the package have known security issues?

  • Is the package licensed? If so, what type of license is being used?

You must perform due diligence on packages you choose to use. This includes verifying the package name is correct. For example, in the past, scans of PyPI resulted in the detection of 11 "typo-squatted" packages which were found to be malicious.

Licensing

The Cortex XSIAM content repository is produced with an MIT (Massachusetts Institute of Technology) license, which means that we use only packages that have a license compatible with the MIT license. As a rule, we only use permissive licenses. For a complete list of OSS licenses and their types see: https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses.

Note

Other licenses may be permitted with specific approval.

Add files to the dockerfiles repository

In most cases, if your integration is for public release, you need to push Docker files into the dockerfiles repository located here. Pushing into this repository adds the image (after an approval process) to the Docker hub Palo Alto Networks organization. See the README.md for details.