Install With Docker (Locally Managed)


  • Linux machine with:

    • Docker installed (or similar, compatible container runtime)

    • Root permissions

The following prerequisites are optional and only relevant if you want to connect your open-appsec agent directly to a WebUI (SaaS) management tenant:

  • Access to a SaaS tenant on (WebUI for SaaS management) Follow the instructions available here:

pageSign-Up and Login to Portal
  • Agent profile created for open-appsec Docker deployment in SaaS tenant Follow the instructions available here. Once done, don't forget to copy the profile token after policy installation as this is needed in the installation steps further below:

pageCreate a Profile


Follow these steps to install an NGINX with open-appsec using containers (e.g. on Docker) or using your deployment CI:

Step 1: Pull the open-appsec agent image or add/use it as part of the deployment CI’s container management system:

docker pull

Step 2: Create a valid local_policy.yaml file which contains the desired declarative configuration for the agent container and put it in a local directory of your choice to be used in the docker run command for the agent as <path-to-local-configuration-file> (see also Step 4 for the docker run command).

You can also download and use the example default local_policy.yaml from the open-appsec GitHub repository.

Full details regarding the declarative local policy file structure are available here:

pageLocal Policy File (Advanced)

Step 3: Create the following empty directories to be used later for volume mounts in the docker run command for the agent.


Creation of the folders above and the volume mounts shown in the next step with -v is optional but strongly recommended for having persistence of the important agent information (data, config, logs). Mounting a folder <path-to-local-configuration-file>, which must contain a valid local configuration file for the open-appsec agent, to /ext/appsec directory inside the agent container on the other hand is mandatory for standalone deployments.

Step 4: Run the open-appsec agent container with this command:

docker run --name=open-appsec-agent \
--ipc=host \
-v=<path-to-persistent-location-for-agent-config>:/etc/cp/conf \
-v=<path-to-persistent-location-for-agent-data-files>:/etc/cp/data \
-v=<path-to-persistent-location-for-agent-debugs-and-logs>:/var/log/nano_agent \
-v=<path-to-local-configuration-file>:/ext/appsec \
-e registered_server='NGINX Server' \
-e user_email=<add-your-email-here> \
-e https_proxy=<user:password@proxy-address:port> \
-it -d /cp-nano-agent --standalone

The https_proxy environment variable allows you to configure an HTTP(S) proxy server to be used by the agent. It is optional and can be removed if not needed.

The user_email environment variable allows you to provide your email address.

The --standalone flag configures the agent to use a local policy file.

The optional user_email environment variable allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.

This allows the open-appsec team to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.

Step 5: Create (or replace) the NGINX container by first pulling the open-appsec NGINX container, which already contains the open-appsec attachment. Alternatively, add/use it as part of the deployment CI’s container management system:

docker pull

Step 6: Run the open-appsec NGINX container, make sure to add the --ipc=host parameter, here’s an example command:

docker run --name open-appsec-nginx --ipc=host -p 80:80 -d

For general NGINX configuration please check the relevant NGINX documentation.

Step 7: Make sure both containers are running, use docker ps to verify.

If you've connected to SaaS Management Tenant in Step 4:

Step 8: Navigate to the Agents tab in the WebUI and ensure the new Agent is successfully connected.

Step 9: Create one or more assets defining the specific resources that open-appsec should protect and don't forget to enforce the policy afterward. More details here:

pageProtect Additional Assets

Fill in the proper values for local storage locations (as created earlier) to be used for persistence.

Now your open-appsec installation on Docker is completed and your configured web app or API assets are protected!

Last updated