Add a scanner
This guide will show you how to add a scanner to connect to your console. Scanner is the component that runs the scans and reports the results back to the console.
Add a scanner
This guide will show you how to add a scanner to connect to your console. Scanner is the component that runs the scans and reports the results back to the console.
Note:
If you followed the deployment guide, you should already have a scanner running in the same host as the UI and the backend (i.e. the console). This guide is for adding additional scanners.
Prerequisites
- A console up and running (see deployment guide).
- Host that you can run the scanner on. This guide will assume one of the following:
- docker
- docker-compose
- Connectivity from the scanner to the console. If you are running the scanner on a different network, you will need to open the console port to the scanner network. Default port for the console is
8000if using the deployment guide.
Steps
In the console
Run command to create the scanner
These commands assume you have deployed the console using the docker-compose.yml.
docker compose run backend create_scanner_token
Where webhood-scanner is the name of the container running the backend image.
This returns
SCANNER_TOKEN=ey....
In the scanner host
Create a `.env` file with the scanner token
SCANNER_TOKEN=ey....
ENDPOINT=http://console-address:8000
Where http://console-address:8000 is the address of the console. If you are running the console on a different port or network, you will need to change the ENDPOINT variable.
Download the [seccomp](https://en.wikipedia.org/wiki/Seccomp) profile for the scanner
curl -o chrome.json https://raw.githubusercontent.com/webhood-io/webhood/main/files/chrome.json
Create a docker-compose.yml file with the scanner configuration
services:
scanner:
container_name: webhood-scanner
image: ghcr.io/webhood-io/webhood/scanner:latest
restart: always
environment:
ENDPOINT: ${ENDPOINT}
SCANNER_TOKEN: ${SCANNER_TOKEN}
# Scanner is not able to receive realtime updates from the console if it is using a self-signed certificate.
# We therefore recommend using valid certificate or plain HTTP for the scanner.
# But, comment out next line if you are using a self-signed certificate and HTTPS anyway.
# NODE_TLS_REJECT_UNAUTHORIZED: 0
security_opt:
# Use seccomp to restrict the syscalls that the container can make for Chrome
# This allows us to run chrome with sandboxing enabled without having to run the whole container as root
- seccomp=./chrome.json
Run the scanner and check for any errors
docker compose up
It is a good idea to now initiate some scans in the console to see if the scanner is working correctly.
If no errors, you can start the scanner as a daemon
docker compose up -d
docker compose run backend create_scanner_token
Additional configuration
Additional scanners
The create_scanner_token command with no arguments will create a new scanner token for the default scanner present in all installations.
To create a token for an additional scanner, you can run
docker compose run backend create_scanner --u "scanner-name"
# Then create an auth token for that scanner
docker compose run backend create_scanner_token --u "scanner-name"