Installation using Docker Compose¶

Deployment via Docker Compose requires Docker at least version 23.0.

Downloading the distribution¶

The distribution is currently available upon request.

Launch¶

When using it for the first time, unzip the archive with the distribution. The archive contains two variants of the Docker Compose configuration. The first one uses the .env file for storing sensitive data (such as database passwords, S3-compatible storage access keys, etc.). The second variant uses Docker secrets for storing sensitive data.
Open the terminal and navigate to the gujian-compose directory obtained as a result of unpacking. All subsequent examples of commands in this instruction are executed relative to this directory.
Enter your secret access token by editing the value of the environment variable TOKEN in the .env file, for example:
```
TOKEN=my-secret-access-token
```

Launch the services using the .env file configuration:

docker compose up --build

Launch the services using the Docker secrets configuration:

docker compose -f docker-compose-with-secrets.yml --env-file secrets.env up --build

The dashboard is available by default at http://localhost. When using the first configuration option the address and port can be changed in the file docker-compose.yml in services.dashboard.ports section. For the second option similar changes can be applied to the docker-compose-with-secrets.yml file.

Configuring¶

The environment variables can be configured in the .env or the secrets.env file for the first and second option, correspondingly.

Variable name	Default value	Description
`FUCHSIAD_POSTGRES_SERVER_URL`	`fuchsiad-database:5432`	Database server address for the scanning service `fuchsiad` in the format `host:port`
`FUCHSIAD_POSTGRES_DB`	`fuchsia`	PostgreSQL database name for the scanning service `fuchsiad`
`FUCHSIAD_POSTGRES_USER`	`fuchsia`	PostgreSQL username for the scanning service `fuchsiad`
`FUCHSIAD_POSTGRES_PASSWORD`	***	PostgreSQL database password for the scanning service `fuchsiad` (only used for the first configuration way)
`FUCHSIAD_POSTGRES_PASSWORD_FILE`	`/tmp/secrets/fuchsiad_db_password`	File path (inside the container) of the PostgreSQL database password for the scanning service `fuchsiad` (only used for the second configuration way)
`FUCHSIAD_POSTGRES_SSL_MODE`	`disable`	Controls the use of the SSL protocol to connect to the PostgreSQL database for the scanning service `fuchsiad`
`BACKEND_POSTGRES_SERVER_URL`	`backend-database:5432`	Database server address for the backend in the format `host:port`
`BACKEND_POSTGRES_DB`	`backend`	PostgreSQL database name for the backend
`BACKEND_POSTGRES_USER`	`backend`	PostgreSQL username for the backend
`BACKEND_POSTGRES_PASSWORD`	***	PostgreSQL database password for the backend (only used for the first configuration way)
`BACKEND_POSTGRES_PASSWORD_FILE`	`/tmp/secrets/backend_db_password`	File path (inside the container) of the PostgreSQL database password for the backend (only used for the second configuration way)
`BACKEND_POSTGRES_SSL_MODE`	`disable`	Controls the use of SSL protocol for connecting to the PostgreSQL database of the backend
`SOCKET_PORT`	`7075`	TCP port address of the scanning service `fuchsiad`
`S3_SERVER_URL`	`http://minio:9000`	S3-compatible storage server address in the format `schema://host:port`
`S3_ROOT_USER`	`fuchsia`	Access key of the `root` user for the S3-compatible storage (used only for the first configuration way)
`S3_ROOT_USER_FILE`	`/tmp/secrets/s3_root_user`	File path (inside the container) of the access key of the `root` user for the S3-compatible storage (only used for the second configuration way)
`S3_ROOT_PASSWORD`	***	Password of the `root` user for the S3-compatible storage (only used for the first configuration way)
`S3_ROOT_PASSWORD_FILE`	`/tmp/secrets/s3_root_password`	File path (inside the container) of the `root` user's password for S3-compatible storage (used only in the second configuration way)
`S3_NO_CHECK_CERT`	`true`	Controls whether self-signed server certificates are ignored when using SSL/TLS protocols
`CHANNEL`	`edge`	Specifies the deb package repository channel
`TOKEN`	Not specified	Token for accessing the deb package repository
`TZ`	`Europe/Moscow`	Sets time zone

Important

The following commands are specified for a distribution using the first configuration option. To reuse it with the second option, you have to add the -f docker-compose-with-secrets.yml --env-file secrets.env flags to the docker compose command.

Shutdown¶

To shut down and clean up the volumes (-v flag) run the command:

docker compose down -v

To delete unnamed volumes, run the command:

./remove-unnamed-volumes.sh

`fuchsiactl` exploitation¶

Warning

The fuchsiactl console client is intended for direct access to the fuchsiad scanning service.

In the future it will be replaced by a new client gujian-cli that accesses the control panel.

The fuchsiactl console client can be used by adding the following alias to run it inside the container:

alias fuchsiactl="docker compose exec fuchsiad fuchsiactl"

After this, the console client can be used, for example, by typing the command:

fuchsiactl help

Mounting files for the scanner¶

The fuchsiad/files/ directory in the root of the distribution is mounted into the fuchsiad container in the /files directory.

Start scanning¶

Using the OpenAPI Specification¶

While in the root directory of the distribution, move the OpenAPI specification files to the fuchsiad/files/ directory, for example:

cp /path/to/spec.json fuchsiad/files/

Next, use fuchsiactl to run a scan, specifying the required files relative to the /files directory, for example:

fuchsiactl scan --url http://example.com --file "openapi-hars-generator:OpenAPISpec@/files/spec.json"

Using a client TLS certificate¶

fuchsiactl scan --url https://example.com --file=@proxy:CERT.crt@/files/somecrt.crt --file=@proxy:CERT.key@/files/somecrt.key