MCP Shamash

version: '3.8' services: # Semgrep SAST Scanner semgrep: build: context: . dockerfile: containers/Dockerfile.semgrep networks: - shamash_sandbox environment: - SHAMASH_ALLOWED_NETWORKS=172.29.0.0/16,127.0.0.1/32 - SHAMASH_MAX_MEMORY=2147483648 # 2GB - SHAMASH_MAX_PROCESSES=200 - SHAMASH_TIMEOUT=1800 # 30 minutes volumes: - type: bind source: ${SHAMASH_TARGET_PATH:-./} target: /scan/target read_only: true - scanner_results:/var/scanner security_opt: - no-new-privileges:true - apparmor:docker-shamash-scanner cap_drop: - ALL read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=512m mem_limit: 2g cpus: 2.0 pids_limit: 200 restart: "no" stdin_open: false tty: false # Trivy Dependency Scanner trivy: image: aquasec/trivy:0.48.0 networks: - shamash_sandbox environment: - TRIVY_NO_PROGRESS=true - TRIVY_QUIET=true - TRIVY_FORMAT=json - TRIVY_TIMEOUT=10m - SHAMASH_ALLOWED_NETWORKS=172.29.0.0/16,127.0.0.1/32 volumes: - type: bind source: ${SHAMASH_TARGET_PATH:-./} target: /scan/target read_only: true - scanner_results:/var/scanner - trivy_cache:/root/.cache/trivy security_opt: - no-new-privileges:true cap_drop: - ALL read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=256m mem_limit: 1g cpus: 1.0 restart: "no" command: ["filesystem", "--format", "json", "/scan/target"] # Gitleaks Secret Scanner gitleaks: image: zricethezav/gitleaks:v8.18.0 networks: - shamash_sandbox environment: - SHAMASH_ALLOWED_NETWORKS=172.29.0.0/16,127.0.0.1/32 volumes: - type: bind source: ${SHAMASH_TARGET_PATH:-./} target: /scan/target read_only: true - scanner_results:/var/scanner security_opt: - no-new-privileges:true cap_drop: - ALL read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=256m mem_limit: 512m cpus: 1.0 restart: "no" command: ["detect", "--source", "/scan/target", "--format", "json", "--report-path", "/var/scanner/gitleaks-results.json", "--no-git"] # OWASP ZAP Web Scanner zaproxy: image: owasp/zap2docker-stable:2.14.0 networks: - shamash_sandbox - project_network # Can access project applications environment: - ZAP_PORT=8090 - SHAMASH_ALLOWED_NETWORKS=172.29.0.0/16,127.0.0.1/32 volumes: - scanner_results:/zap/wrk security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - NET_RAW # Required for network scanning read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=512m - /zap/wrk:rw,noexec,nosuid,size=1g mem_limit: 4g cpus: 2.0 restart: "no" command: ["zap-api-scan.py", "-t", "${SHAMASH_TARGET_URL}", "-f", "json", "-J", "/zap/wrk/zap-results.json"] # Checkov IaC Security Scanner checkov: image: bridgecrew/checkov:latest networks: - shamash_sandbox environment: - CHECKOV_LOG_LEVEL=ERROR - SHAMASH_ALLOWED_NETWORKS=172.29.0.0/16,127.0.0.1/32 volumes: - type: bind source: ${SHAMASH_TARGET_PATH:-./} target: /scan/target read_only: true - scanner_results:/var/scanner security_opt: - no-new-privileges:true cap_drop: - ALL read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=256m mem_limit: 1g cpus: 1.0 restart: "no" command: ["checkov", "--directory=/scan/target", "--output=json", "--quiet", "--framework=dockerfile,docker_compose,kubernetes", "--skip-check=CKV_DOCKER_2", "--compact", "--no-guide"] networks: # Isolated scanner network shamash_sandbox: driver: bridge internal: true # No external connectivity ipam: config: - subnet: 172.28.0.0/16 ip_range: 172.28.5.0/24 # Project network (for testing deployed apps) project_network: driver: bridge ipam: config: - subnet: 172.29.0.0/16 volumes: scanner_results: driver: local trivy_cache: driver: local