Add Script Sentinel Docker image for malware analysis

docker/script-sentinel/.gitignore

@@ -0,0 +1,5 @@
+# Exclude tree-sitter grammar tests
+sentinel/grammars/*/bindings/python/tests/
+sentinel/grammars/*/test/
+sentinel/grammars/*/tests/
+requirements.txt

docker/script-sentinel/Dockerfile

@@ -0,0 +1,49 @@
+# Script Sentinel Docker Image for XSIAM
+# Malware analysis for PowerShell, Bash, and JavaScript scripts
+
+# Use official Demisto Python 3 base image (Alpine-based)
+# Check latest version at: https://hub.docker.com/r/demisto/python3/tags
+FROM demisto/python3:3.11.9.106968
+
+# Metadata
+LABEL maintainer="[email protected]"
+LABEL description="Script Sentinel - Malware analysis for PowerShell, Bash, and JavaScript"
+LABEL version="1.0.0"
+LABEL com.demisto.image.type="python"
+LABEL com.demisto.image.category="malware-analysis"
+
+# Set working directory
+WORKDIR /app
+
+# Create non-root user (if not already in base image)
+# Demisto base images typically already have a user, but we ensure it exists
+RUN addgroup -g 1000 -S sentinel 2>/dev/null || true && \
+    adduser -u 1000 -S sentinel -G sentinel 2>/dev/null || true
+
+# Copy requirements first for better caching
+# Note: If using poetry, the build script will auto-generate requirements.txt
+COPY requirements.txt .
+
+# Install build dependencies, Python packages, then clean up
+# tree-sitter-language-pack requires gcc and build tools to compile C extensions
+RUN apk add --no-cache --virtual .build-deps \
+        gcc \
+        musl-dev \
+        python3-dev && \
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt && \
+    apk del .build-deps
+
+# Copy application code
+COPY sentinel/ ./sentinel/
+COPY xsiam_wrapper.py ./
+
+# Set Python path
+ENV PYTHONPATH=/app:$PYTHONPATH
+
+# Health check (optional)
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD python -c "import sentinel; import xsiam_wrapper" || exit 1
+
+# No ENTRYPOINT - let Demisto verification run commands directly
+# The XSIAM integration will call xsiam_wrapper.py explicitly

docker/script-sentinel/README.md

@@ -0,0 +1,44 @@
+# Script Sentinel Docker Image
+
+Malware analysis for PowerShell, Bash, and JavaScript scripts with MITRE ATT&CK mapping.
+
+## Features
+
+- Static pattern matching for malicious behaviors
+- MITRE ATT&CK technique identification
+- IOC extraction (IPs, domains, URLs, file paths)
+- XDR-compatible output format for XSIAM integration
+- Configurable sensitivity levels (3 paranoia levels)
+- Optional LLM-powered semantic analysis
+
+## Base Image
+
+`demisto/python3:3.11.9.109876` (Alpine-based)
+
+## Size
+
+Approximately 450MB compressed
+
+## Security
+
+- Non-root user (UID 1000)
+- No network access required for analysis
+- Minimal dependencies
+- Includes verification script
+
+## Usage
+
+```bash
+docker run --rm demisto/script-sentinel:latest analyze --language javascript --content "your script here"
+```
+
+## Testing
+
+- Tested with keylogger detection
+- Tested with obfuscation detection  
+- Tested with various malware samples
+- Verification script included (`verify.py`)
+
+## Related
+
+This image is used in the Script Sentinel integration in the Cortex XSOAR/XSIAM content repository.

docker/script-sentinel/build.conf

@@ -0,0 +1 @@
+version=1.0.0

docker/script-sentinel/docker-entrypoint.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Docker entrypoint for Script Sentinel XSIAM integration
+# Supports both direct CLI mode and XSIAM wrapper mode
+
+set -e
+
+# Check if first argument is 'xsiam-wrapper'
+if [ "$1" = "xsiam-wrapper" ]; then
+    # XSIAM mode: use the wrapper script
+    shift  # Remove 'xsiam-wrapper' from arguments
+    exec python3 /app/xsiam_wrapper.py "$@"
+elif [ "$1" = "analyze" ] || [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
+    # CLI mode: use sentinel.main directly
+    exec python3 -m sentinel.main "$@"
+else
+    # For any other command (like 'which', 'python', etc.), execute it directly
+    # This allows the Demisto build system to run verification commands
+    exec "$@"
+fi

docker/script-sentinel/pyproject.toml

@@ -0,0 +1,21 @@
+[tool.poetry]
+name = "script-sentinel"
+version = "1.0.0"
+description = "Malware analysis for PowerShell, Bash, and JavaScript scripts"
+authors = ["Script Sentinel Team <[email protected]>"]
+
+[tool.poetry.dependencies]
+python = "~3.11"
+tree-sitter = "~0.22.0"
+tree-sitter-language-pack = "*"
+google-generativeai = "0.8.3"
+google-ai-generativelanguage = "0.6.10"
+PyYAML = "6.0.2"
+python-dotenv = "1.0.1"
+rich = "13.9.4"
+google-auth = "2.36.0"
+google-api-core = "2.23.0"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"