Add initial implementation of Agent Guard services with Docker setup #3315
Conversation
- Introduced `docker-compose.yml` to orchestrate Python and Go services.
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 21638177 | Triggered | JSON Web Token | aab96ee | apps/data-ingestion-service/src/main/java/com/akto/action/IngestionAction.java | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
…akshak added deployment for cloudflare container and worker
…ormers. Bump llm-guard to 0.3.16, torch to 2.4.0, and add compatibility fixes for optimum 2.0+ in scanner_service.py.
![devsecopsbot[bot]](https://avatars.githubusercontent.com/in/963709?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 AI Security analysis: "This change introduces multiple medium-severity Go package vulnerabilities (notably golang.org/x/crypto/ssh) and exposes a service port on all interfaces, raising risk of authorization bypass, DoS, and remote access. Remediate before deployment."
| Risk Level | AI Score |
|---|---|
| 🟡 MODERATE | 60.0/100 |
Top 7 security issues / 12 total (Critical: 0, High: 0, Medium: 12, Low: 0)
| Title | Location | Recommendation |
|---|---|---|
 CVE-2023-39325: golang: net/http, x/net/http2: rapid stream resets can cause ex… |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: golang.org/x/net@v0.10.0 |
| CVE-2023-3978: golang.org/x/net/html: Cross site scripting |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: golang.org/x/net@v0.10.0 |
| CVE-2023-48795: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: golang.org/x/crypto@v0.9.0 |
| CVE-2024-45337: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallba… |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: golang.org/x/crypto@v0.9.0 |
| CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange… |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: golang.org/x/crypto@v0.9.0 |
| Service port exposed on all interfaces |
apps/agent-guard/docker-compose.yml:8 |
Bind the service port to a specific IP address, e.g., '127.0.0.1:$PORT'. |
| Service port exposed on all interfaces |
apps/agent-guard/docker-compose.yml:37 |
Bind the service port to a specific IP address, e.g., '127.0.0.1:$PORT'. |
| context: ./python-service/container | ||
| dockerfile: Dockerfile | ||
| container_name: agent-guard-python | ||
| ports: |
There was a problem hiding this comment.
| ports: | |
| - "127.0.0.1:8092:8092" |
🟡 MEDIUM: Service port exposed on all interfaces
Bind the published port to localhost to avoid exposing the service on all host interfaces. This reduces exposure of the service to the local machine only and prevents external access from other network interfaces.
| context: ./go-service/container | ||
| dockerfile: Dockerfile | ||
| container_name: agent-guard-go | ||
| ports: |
There was a problem hiding this comment.
| ports: | |
| - "127.0.0.1:8091:8091" |
🟡 MEDIUM: Service port exposed on all interfaces
Bind the published port to the loopback interface to avoid exposing the service on all host interfaces. If the service must be reachable externally, use a specific host interface or firewall rules instead of 0.0.0.0 binding.
There was a problem hiding this comment.
🤖 AI Security analysis: "A medium-severity dependency vulnerability (CVE-2024-24786) in golang-protobuf's protojson can trigger infinite loops when unmarshaling malformed JSON; it is referenced in the service go.mod and can lead to CPU exhaustion/DoS of the Go service."
| Risk Level | AI Score |
|---|---|
| 🟢 LOW | 35.0/100 |
Top 1 security issues / 1 total (Critical: 0, High: 0, Medium: 1, Low: 0)
| Title | Location | Recommendation |
|---|---|---|
| CVE-2024-24786: golang-protobuf: encoding/protojson, internal/encoding/json: in… |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: google.golang.org/protobuf@v1.30.0 |
There was a problem hiding this comment.
🤖 AI Security analysis: "A medium-severity dependency vulnerability (CVE-2024-24786) in golang-protobuf's protojson can trigger infinite loops when unmarshaling malformed JSON; it is referenced in the service go.mod and can lead to CPU exhaustion/DoS of the Go service."
| Risk Level | AI Score |
|---|---|
| 🟢 LOW | 35.0/100 |
Top 1 security issues / 1 total (Critical: 0, High: 0, Medium: 1, Low: 0)
| Title | Location | Recommendation |
|---|---|---|
| CVE-2024-24786: golang-protobuf: encoding/protojson, internal/encoding/json: in… |
apps/agent-guard/go-service/container/src/go.mod:1 |
apps/agent-guard/go-service/container/src/go.mod: google.golang.org/protobuf@v1.30.0 |
docker-compose.ymlto orchestrate Python and Go services.