marker/guarddog-nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: real-world tested — Docker stack + Nexus, verified full scan pipeline

Browse Source
This commit is contained in:
Marker689
2026-05-09 05:08:28 +03:00
parent 4bfead8d6e
commit d73bb910fe
2 changed files with 54 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Dockerfile
View File

@@ -6,16 +6,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certifi
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/ COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
WORKDIR /app WORKDIR /app
COPY pyproject.toml ./ COPY pyproject.toml ./
COPY guarddog_nexus/ guarddog_nexus/ RUN uv pip install --system fastapi uvicorn[standard] jinja2 httpx \
"sqlalchemy[asyncio]" aiosqlite python-multipart
RUN uv pip install --system guarddog RUN uv pip install --system guarddog
RUN uv pip install --system -e .
COPY guarddog_nexus/ guarddog_nexus/
RUN mkdir -p /data /tmp/guarddog-nexus RUN mkdir -p /data /tmp/guarddog-nexus
ENV DATABASE_PATH=/data/guarddog.db ENV DATABASE_PATH=/data/guarddog.db
ENV TEMP_DIR=/tmp/guarddog-nexus ENV TEMP_DIR=/tmp/guarddog-nexus
ENV PYTHONDONTWRITEBYTECODE=1
EXPOSE 8080 EXPOSE 8080

84
scripts/setup-nexus.sh
View File

@@ -1,19 +1,18 @@
#!/bin/sh #!/bin/sh
# Setup script for test Nexus instance. set -e
# Creates a PyPI proxy repo and a webhook pointing to guarddog-nexus.
NEXUS_URL="${NEXUS_URL:-http://nexus:8081}" NEXUS_URL="${NEXUS_URL:-http://nexus:8081}"
ADMIN_PASSWORD="${ADMIN_PASSWORD:-admin123}" ADMIN_PASSWORD="${ADMIN_PASSWORD:-admin123}"
WEBHOOK_URL="${WEBHOOK_URL:-http://guarddog-nexus:8080/webhooks/nexus}" WEBHOOK_URL="${WEBHOOK_URL:-http://guarddog-nexus:8080/webhooks/nexus}"
echo "Waiting for Nexus to start..." apk add --no-cache curl >/dev/null 2>&1 || true
# Wait until Nexus REST API is available (up to 5 minutes) echo "Waiting for Nexus to start..."
MAX_WAIT=300 MAX_WAIT=300
ELAPSED=0 ELAPSED=0
while [ $ELAPSED -lt $MAX_WAIT ]; do while [ $ELAPSED -lt $MAX_WAIT ]; do
if curl -sf -o /dev/null "${NEXUS_URL}/service/rest/v1/status" 2>/dev/null; then if curl -sf -o /dev/null "${NEXUS_URL}/service/rest/v1/status" 2>/dev/null; then
echo "Nexus is up!" echo "Nexus is up."
break break
fi fi
sleep 5 sleep 5
@@ -21,53 +20,64 @@ while [ $ELAPSED -lt $MAX_WAIT ]; do
done done
if [ $ELAPSED -ge $MAX_WAIT ]; then if [ $ELAPSED -ge $MAX_WAIT ]; then
echo "Timed out waiting for Nexus" echo "Timed out waiting for Nexus" >&2
exit 1 exit 1
fi fi
# Check if password needs changing (first run)
ADMIN_PASSWORD_FILE="/nexus-data/admin.password"
if [ -f "$ADMIN_PASSWORD_FILE" ]; then
RANDOM_PASS=$(cat "$ADMIN_PASSWORD_FILE")
echo "Using random admin password: $RANDOM_PASS"
AUTH_PASS="$RANDOM_PASS"
else
AUTH_PASS="$ADMIN_PASSWORD" AUTH_PASS="$ADMIN_PASSWORD"
if [ -f /nexus-data/admin.password ]; then
AUTH_PASS=$(cat /nexus-data/admin.password)
echo "Using initial admin password from volume"
fi fi
echo "Creating PyPI proxy repository..." echo "Creating PyPI proxy repository..."
curl -sf -u "admin:${AUTH_PASS}" \ curl -sf -u "admin:${AUTH_PASS}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{ -X POST \
"name": "pypi-proxy",
"online": true,
"storage": {"blobStoreName": "default", "strictContentTypeValidation": true},
"proxy": {"remoteUrl": "https://pypi.org", "contentMaxAge": 1440},
"format": "pypi"
}' \
"${NEXUS_URL}/service/rest/v1/repositories/pypi/proxy" || echo "Repo may already exist"
echo "Creating webhook..."
curl -sf -u "admin:${AUTH_PASS}" \
-H "Content-Type: application/json" \
-d "{ -d "{
\"name\": \"guarddog-scan\", \"name\": \"pypi-proxy\",
\"eventTypes\": [\"repository.component\", \"repository.asset\"], \"online\": true,
\"format\": \"pypi\", \"storage\": {
\"url\": \"${WEBHOOK_URL}\", \"blobStoreName\": \"default\",
\"secret\": \"\", \"strictContentTypeValidation\": true
\"enabled\": true },
\"proxy\": {
\"remoteUrl\": \"https://pypi.org\",
\"contentMaxAge\": 1440,
\"metadataMaxAge\": 1440
},
\"negativeCache\": {
\"enabled\": true,
\"timeToLive\": 1440
},
\"httpClient\": {
\"blocked\": false,
\"autoBlock\": true,
\"connection\": {
\"timeout\": 60,
\"retries\": 3
}
}
}" \ }" \
"${NEXUS_URL}/service/rest/v1/webhooks" || echo "Webhook may already exist" "${NEXUS_URL}/service/rest/v1/repositories/pypi/proxy" 2>/dev/null || \
echo "Proxy repo may already exist, continuing..."
# Change admin password if this was first run echo ""
if [ -f "$ADMIN_PASSWORD_FILE" ]; then echo "NOTE: Webhook setup is not available in Nexus OSS/Community edition."
echo "Changing admin password..." echo "In Nexus Pro, configure:"
curl -sf -u "admin:${RANDOM_PASS}" \ echo " Capability: Webhook: Repository"
echo " URL: ${WEBHOOK_URL}"
echo " Event types: repository.component, repository.asset"
echo " Repository filter: pypi-proxy"
echo ""
if [ -f /nexus-data/admin.password ]; then
echo "Changing default admin password..."
curl -sf -u "admin:${AUTH_PASS}" \
-H "Content-Type: text/plain" \ -H "Content-Type: text/plain" \
-X PUT \ -X PUT \
-d "${ADMIN_PASSWORD}" \ -d "${ADMIN_PASSWORD}" \
"${NEXUS_URL}/service/rest/v1/security/users/admin/change-password" "${NEXUS_URL}/service/rest/v1/security/users/admin/change-password" 2>/dev/null || true
fi fi
echo "Nexus setup complete." echo "Nexus setup complete."