Using Docker - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Use Docker to run Python scripts and integrations in a controlled environment.

Docker is a tool used by developers to package together dependencies into an image. Therefore, you are not required to run pip install to install all the required packages to use your integration. They are part of a image and the image contains all of the libraries you need. See the Docker site for more information.

Script/integration configuration

When creating a script within the Cortex XSIAM IDE, you can specify the Docker image to use, within the script settings. If you don't specify a docker image, a default docker image using Python 3.9 is used. 

The selected Docker image is configured in the script/integration yaml file under the dockerimage key. See Integration metadata YAML file

Updating Docker images automatically via pull request

Every integration/script that utilizes either demisto/python or demisto/python3 Docker images Is updated automatically whenever a newer tag is available. This happens via an automatic recurring job that updates the Docker image of the content item by a pull request in the content Git repository. The pack is then distributed in Marketplace.

Enabling/disabling Docker image automatic update

If your integration/script is not using either demisto/python or demisto/python3 Docker images, you can still have it updated automatically by adding the autoUpdateDockerImagekey to the YAML file. For example, the following will update the integration MyIntegration docker image:

commonfields:
  id: MyIntegration
  version: -1
name: MyIntegration
display: MyIntegration
script:
 dockerimage: demisto/oauthlib:1.0.0.16907
autoUpdateDockerImage: true

If your integration/script uses either demisto/python or demisto/python3 Docker images and you don't want to have it automatically updated, you can set the autoUpdateDockerImage field to false. For example, adding the following will not update your Docker image automatically.

autoUpdateDockerImage: false
Docker images

Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via DockerHub under the Demisto organization. The Docker image creation process is managed via Dockerfiles repository. Before trying to create a new Docker image, check if there is one available already. You can search  https://github.com/demisto/dockerfiles-info/blob/master/used_packages.csv  which is updated nightly with image metadata and the os/python packages used in the images. To create a custom Docker image to use in your integration or script, follow the Contributing section.

Important

For security reasons, we cannot accept images which are not part of the Docker hub Palo Alto Networks organization.

Package requirements

Considerations when choosing a package to be used in an integration:

  • Does the package have known security issues?

  • Is the package licensed? If so, what type of license is being used?

You must perform due diligence on packages you choose to use. This includes verifying the package name is correct. For example, in the past, scans of PyPI resulted in the detection of 11 "typo-squatted" packages which were found to be malicious.

Licensing

The Cortex XSIAM content repository is produced with an MIT (Massachusetts Institute of Technology) license, which means that we use only packages that have a license compatible with the MIT license. As a rule, we only use permissive licenses. For a complete list of OSS licenses and their types see: https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses.

Note

Other licenses may be permitted with specific approval.

Add files to dockerfiles repository

In most cases, if your integration is for public release, you need to push Docker files into the dockerfiles repository located here. Pushing into this repository adds the image (after an approval process) to the Docker hub Palo Alto Networks organization. See the README.md for details.

Server - container communication (advanced)

The Cortex XSIAM launches a Docker container by running a Python loop script. The server communicates with the Python loop script over stdout and stdin. The server passes the relevant integration/script code to the loop script. The script receives the code, executes it and returns a completed response to the server. While the integration/script code is executing, communication is performed over stdout/stdin. The server may then reuse the container to execute additional integrations/scripts that utilize the same Docker container. An simplified example loop script is available for review and testing here.

For example, to use the example loop script to simulate running a simple script which sends a log entry to the server via calling demisto.log(...) run the following:

echo '{"script": "demisto.log(\"this is an example entry log\")", "integration": false, "native": false}' | \
docker run --rm -i -v `pwd`:/work -w /work demisto/python3:3.8.6.12176 python Utils/_script_docker_python_loop_example.py