anya/docker-compose.yml at main · elementmerc/anya · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
services:

  # ── Single file analysis ───────────────────────────────────────────────────
  # Place suspicious.exe in ./samples/ then run:
  #   docker compose run --rm anya-single
  # Or override the target file:
  #   docker compose run --rm anya-single anya --file /samples/other.dll --json
  anya-single:
    image: anya:latest
    build:
      context: .
      args:
        VERSION: "${VERSION:-dev}"
    volumes:
      - ./samples:/samples:ro     # read-only — Anya never modifies the sample
      - ./output:/output:rw
    command:
      - "--file"
      - "/samples/suspicious.exe"
      - "--json"
      - "--output"
      - "/output/result.json"
      - "--no-color"
    read_only: true               # container filesystem is read-only
    security_opt:
      - no-new-privileges:true
      - seccomp:./docker/seccomp.json
    cap_drop:
      - ALL
    tmpfs:
      - /tmp:size=64m,noexec      # writable tmp; no execute permission

  # ── Batch directory analysis ───────────────────────────────────────────────
  # Analyses every PE/ELF in ./samples/ and writes one JSONL file per run.
  # Results are appended to output/batch.jsonl so you can accumulate runs.
  #   docker compose run --rm anya-batch
  anya-batch:
    image: anya:latest
    build:
      context: .
      args:
        VERSION: "${VERSION:-dev}"
    volumes:
      - ./samples:/samples:ro
      - ./output:/output:rw
    command:
      - "--directory"
      - "/samples"
      - "--recursive"
      - "--json"
      - "--output"
      - "/output/batch.jsonl"
      - "--append"
      - "--no-color"
    read_only: true
    security_opt:
      - no-new-privileges:true
      - seccomp:./docker/seccomp.json
    cap_drop:
      - ALL
    tmpfs:
      - /tmp:size=64m,noexec

  # ── Watch inbox for new files ──────────────────────────────────────────────
  # Sidecar pattern: drop a file into ./inbox and Anya emits a one-line
  # verdict to stdout (captured by `docker compose logs anya-watch`) plus a
  # detailed JSON record to ./watch-output. Intended for integrating Anya
  # into a SaaS upload pipeline where a container continuously scans files
  # as they land.
  #
  # anya-watch uses its own ./watch-output directory, separate from
  # anya-single and anya-batch's ./output, so the three services can run
  # concurrently without output collisions.
  #   mkdir -p inbox watch-output
  #   docker compose up anya-watch            # foreground, Ctrl+C to stop
  #   cp suspicious.exe inbox/                # verdict appears in logs
  anya-watch:
    image: anya:latest
    build:
      context: .
      args:
        VERSION: "${VERSION:-dev}"
    volumes:
      - ./inbox:/inbox:ro
      - ./watch-output:/output:rw
    command:
      - "watch"
      - "/inbox"
      - "--json"
    read_only: true
    security_opt:
      - no-new-privileges:true
      - seccomp:./docker/seccomp.json
    cap_drop:
      - ALL
    tmpfs:
      - /tmp:size=64m,noexec