How to deploy the Java agent with Docker

Agent Deployment Knowledge:

See more
License Type SaaS & On-Premise
Agent Mode Assess & Protect
Main Product Category    Java Agent
Sub Category Installation

 

Objective

Learn one way you can integrate the Java agent with your Docker infrastructure. In this example, we'll be instrumenting WebGoat, an executable .jar file deployed in a Linux Docker container. 

Process

    1. Create a folder for the application then change to that directory 
      mkdir ~/projects/docker/webgoat7.1/
cd ~/projects/docker/webgoat7.1/
    2. Create a blank Dockerfile 
      touch Dockerfile
    3. Edit the Dockerfile in a text editor and paste the following into it:
      NOTE: You'll need to edit the curl command on line 6 to point it to your own organization. 
      FROM anapsix/alpine-java:jdk8
ENV APP /
RUN apk update && apk add ca-certificates && update-ca-certificates && apk add openssl
RUN apk update; apk add curl
RUN wget https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar
RUN curl -X GET <Teamserver URL>/Contrast/api/ng/<OrganizationID>/agents/default/JAVA?jvm=1_8 -H 'Authorization: <Authorization>' -H 'API-Key: <API KEY>' -o contrast.jar
WORKDIR $APP
EXPOSE 8080
CMD ["java","-javaagent:contrast.jar","-Dcontrast.agent.java.standalone_app_name=WebGoatDocker","-Dcontrast.server.name=DockerServer","-jar","webgoat-container-7.1-exec.jar"]
      • We are downloading the latest Java agent through a curl command and placing it in the same directory as our WebGoat springboot jarfile. For steps on creating a curl command, please refer to our documentation here.
      • The Java startup command contains the javaagent along with a few configuration properties to make sure the application shows up in the teamserver correctly Build the Dockerfile and create a new image                                                               
    4. Build the Dockerfile and create a new image 
      docker build ~/projects/docker/webgoat7.1/
    5. Verify the new image was created  
      docker images

      You should see the following output, the image with 1526b2ff885c was just created with the above Docker build command.

                                                                                                                    
    6. Create a container out of the image and run it 
      docker run -p 8080:8080 -t <Image ID>
    7. In your browser, go to http://localhost:8080/WebGoat to make sure the container started up correctly and you can access the application         
    8. In the Contrast UI, you should see the application show up:         

      Along with the server: 

Best Practices

Docker will cache layers to speed up subsequent builds of the same Dockerfile.
This means the curl command will not be re-executed to download the latest version of the Contrast agent if nothing has changed in steps prior to the curl command.

In order to keep up-to-date with the latest version of the agent if using this approach, you should periodically re-build the entire image to ensure the latest versions are used. To do this, run docker build with the --no-cache and --pull switches:

docker build --no-cache --pull ~/projects/docker/webgoat7.1/

Related articles

Powered by Zendesk