🔐 Enterprise-grade container security platform with centralized control and distributed agents
CASA performs comprehensive security assessments on Docker containers at scale, identifying vulnerabilities, misconfigurations, and attack paths in production environments.
- 🔍 YARA Rule Scanning - Pattern-based malware and threat detection
- 🔐 Secrets Detection - Find exposed credentials (20+ patterns)
- 🚨 Vulnerability Validation - Runtime CVE validation, not just listings
⚠️ Configuration Audit - Detect dangerous container configurations- 🛡️ Escape Detection - Identify container breakout vectors
- 🌐 Network Mapping - Discover container connectivity and attack paths
- 📊 Web Dashboard - Real-time visualization with 6 pages (Dashboard, Scans, Containers, Agents, Alerts, Users)
- 🔄 High Availability - 3-node control plane cluster with HAProxy load balancing
- 🤖 Distributed Agents - Scale to 1000+ hosts with automatic failover
- 📡 REST API - 30+ endpoints with JWT authentication
- 👥 User Management - Create users, temporary passwords, forced password changes
- 🔑 OAuth2/SSO - Google, GitHub, Microsoft, GitLab, Custom OIDC
- ⚡ Event-Driven Scanning - Container events trigger immediate scans
- 🔐 Encryption Everywhere - TLS for all services (PostgreSQL, Redis, API)
- 🔒 End-to-End Encryption - RSA-4096 + AES-256-GCM for agent data
- 👮 Role-Based Access - 4 roles (admin, operator, viewer, auditor)
- 🚫 Account Protection - Lockout after failed login attempts
- 📝 Audit Logging - Complete activity trail
./start.shdocker compose --profile ha up -dThen open: https://localhost:3000
Default admin credentials are generated in .env file.
What starts:
- PostgreSQL with SSL/TLS
- Redis with TLS
- Control Plane (1 or 3 instances)
- HAProxy Load Balancer (HA mode)
- Web Dashboard with HTTPS
- Agent Builder Service
- Encrypted Docker network
See detailed quick start guide →
→ Complete Documentation Index
- Quick Start Guide - Get running in 5 minutes
- Docker Guide - Complete deployment guide
- Security Architecture - Encryption & hardening
- System Guide - Architecture overview
- API Reference - Complete API documentation
- Control Plane Guide - Management details
┌─────────────────────────────────────┐
│ EXTERNAL ACCESS │
└─────────────────────────────────────┘
│
┌─────────────────────────────────┼─────────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────┐ ┌─────────────┐ ┌─────────────┐
│ Browser │ │ Agents │ │ API Client │
│ User │ │ (1000+ hosts)│ │ (curl/SDK) │
└────┬────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ HTTPS :3000 │ HTTPS :8443 │
│ │ (RSA-4096 + AES-256-GCM) │
▼ ▼ │
┌───────────────┐ ┌─────────────────────┐ │
│ Dashboard │─────────────►│ HAProxy LB │◄─────────────────────┘
│ (Frontend) │ API calls │ :8443 (API) │
│ HTTPS :3000 │ │ :9000 (Stats) │
└───────────────┘ └──────────┬──────────┘
│
┌────────────┼────────────┐
│ │ │
▼ ▼ ▼
════════════════════════════════════════════════════════════════════════════════
INTERNAL DOCKER NETWORK (Encrypted)
│ │ │
┌────────┴───┐ ┌──────┴─────┐ ┌────┴────────┐
│ CP-1 │ │ CP-2 │ │ CP-3 │
│ (Primary) │ │ (Standby) │ │ (Standby) │
└─────┬──────┘ └─────┬──────┘ └──────┬──────┘
│ │ │
└──────────────┼───────────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────┐ ┌───────────────┐
│ PostgreSQL │ │ Redis │ │ Agent Builder │
│ (SSL :5432) │ │ (TLS :6380) │ │ (HTTPS :9000) │
│ │ │ │ │ │
│ ┌───────────┐ │ │ Sessions │ │ Build custom │
│ │ Tables: │ │ │ Cache │ │ agent bins │
│ │ • agents │ │ │ Pub/Sub │ └───────────────┘
│ │ • scans │ │ └─────────────┘
│ │ • alerts │ │
│ │ • users │ │
│ │ • oauth │ │
│ └───────────┘ │
└─────────────────┘
AGENT DATA FLOW:
═══════════════
┌──────────────────┐ 1. Register ┌──────────────────────────────┐
│ Agent │ ───────────────────► │ Control Plane │
│ │ 2. Get public key │ • Validates agent │
│ • YARA scanning │ ◄─────────────────── │ • Returns RSA public key │
│ • Secrets detect │ 3. Send encrypted │ • Decrypts scan results │
│ • Config audit │ scan results │ • Stores in PostgreSQL │
│ • Vuln check │ ───────────────────► │ • Generates alerts │
│ • Network map │ 4. Heartbeat │ • Updates dashboard │
└──────────────────┘ ◄──────────────────► └──────────────────────────────┘
EXPOSED PORTS:
═════════════
• :3000 - Dashboard (HTTPS) - User web interface
• :8443 - API (HTTPS) - Agents & API clients
• :9000 - HAProxy Stats - Load balancer monitoring
| Layer | Technology | Purpose |
|---|---|---|
| Application | RSA-4096 + AES-256-GCM | Encrypt agent scan data |
| Transport | TLS 1.2+ | All HTTP/S, Redis, PostgreSQL |
| Network | Docker encrypted network | Container-to-container |
| Authentication | JWT + OAuth2/OIDC | User & API access |
| Authorization | RBAC (4 roles) | admin, operator, viewer, auditor |
CASA provides build-time scanning for CI/CD pipelines with optional centralized reporting to the control plane for unified visibility across build-time and runtime security.
CI/CD PIPELINE SCANNING (Build-time)
════════════════════════════════════
┌─────────────────────────────────────────────────────────────────────────┐
│ CI/CD PLATFORM │
│ (Vela, GitHub Actions, GitLab, etc.) │
└─────────────────────────────────────────────────────────────────────────┘
│
┌───────────────────────────┼───────────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐
│ BUILD │ │ SCAN │ │ DEPLOY │
│ │ ──────► │ │ ──────► │ │
│ docker │ │ CASA │ │ k8s / │
│ build │ │ scanner │ │ docker │
└───────────┘ └─────┬─────┘ └───────────┘
│
┌────────────┴────────────┐
│ SCAN OPERATIONS │
│ │
│ • Secrets Detection │
│ • YARA Malware Scan │
│ • Config Auditing │
│ • SBOM Generation │
│ │
└────────────┬────────────┘
│
┌───────────────────┼───────────────────┐
│ │ │
▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐
│ JSON │ │ SARIF │ │ CONTROL │
│ Output │ │ Output │ │ PLANE │
│ │ │ │ │ (optional) │
│ Machine- │ │ GitHub │ │ Centralized│
│ readable │ │ Security │ │ Dashboard │
│ details │ │ Tab │ │ + SBOM DB │
└────────────┘ └────────────┘ └────────────┘
│
▼
┌─────────────────┐
│ Exit Code 0/1 │
│ │
│ 0 = Pass │
│ 1 = Findings │
│ exceed │
│ threshold │
└─────────────────┘
CI/CD VS AGENT SCANNING:
═══════════════════════
┌────────────────────────┬──────────────────────────────────────────────┐
│ CI/CD Scanning │ Agent Scanning │
├────────────────────────┼──────────────────────────────────────────────┤
│ Runs at BUILD time │ Runs at RUNTIME (continuous) │
│ Scans IMAGES │ Scans running CONTAINERS │
│ Gates deployments │ Monitors production │
│ Output: JSON/SARIF │ Output: Dashboard/API │
│ One-time scan │ Event-driven + periodic │
│ Optional CP reporting │ Always reports to Control Plane │
└────────────────────────┴──────────────────────────────────────────────┘
CASA supports three authentication methods for CI/CD pipelines to report to the control plane:
| Method | Description | Best For |
|---|---|---|
| OIDC/JWT | Validate tokens from CI platforms (GitHub, GitLab, Vela) | Most secure, no secrets to manage |
| Vault | Accept tokens issued by HashiCorp Vault | Organizations using Vault |
| CI API Keys | Long-lived scoped keys with ci-reporter role |
Platforms without OIDC support |
OIDC providers are configured in the control plane admin settings and can be restricted to specific repositories and branches.
steps:
- name: build
image: target/vela-docker:latest
parameters:
repo: myorg/myapp
tags: ["${VELA_BUILD_COMMIT:0:8}"]
- name: security_scan
image: target/vela-casa:latest
parameters:
image: myorg/myapp:${VELA_BUILD_COMMIT:0:8}
fail_on: high
output: text
# Control plane integration (optional)
control_plane_url: https://casa.example.com
auth_method: oidc # Uses Vela OIDC tokens automatically
generate_sbom: true # Submit SBOM to central database
- name: deploy
image: target/vela-kubernetes:latest
parameters:
action: apply
files: [k8s/deployment.yaml]- name: CASA Security Scan
uses: your-org/casa-action@v1
with:
image: myapp:${{ github.sha }}
output-format: sarif
fail-on: high
control-plane-url: https://casa.example.com # Optional
auth-method: oidc
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: casa-results.sarifSee Vela plugin docs → | See GitHub Action docs →
- PostgreSQL: SSL/TLS connections required
- Redis: TLS-only mode (plaintext disabled)
- API Server: HTTPS with certificate auth
- Web Dashboard: HTTPS with strict transport security
- Agent Communication: Double encryption (app + transport)
- RSA-4096 key pairs for each agent
- AES-256-GCM with rolling keys (new per transmission)
- Random IVs prevent replay attacks
- API Key authentication
- Certificate pinning support
See complete security documentation →
CASA/
├── start.sh # One-command startup
├── generate-certs.sh # TLS certificate generation
├── docker-compose.yml # Multi-mode deployment config
│
├── cmd/ # Go entrypoints
│ ├── agent/ # Distributed agent
│ ├── control-plane/ # Control plane server
│ └── scanner/ # Standalone scanner
│
├── internal/ # Internal packages
│ ├── api/ # REST API handlers
│ └── database/ # Schema & migrations
│
├── pkg/ # Shared packages
│ ├── auth/ # JWT, OAuth, RBAC
│ ├── crypto/ # Encryption utilities
│ └── models/ # Data structures
│
├── services/ # Core services
│ ├── orchestrator/ # Scan orchestration
│ ├── secrets/ # Secrets scanner
│ └── yarascan/ # YARA integration
│
├── web/dashboard/ # Frontend UI
│ ├── index.html # Main page
│ ├── app.js # Application logic
│ └── styles.css # Styling
│
├── rules/yara/ # YARA rules library
├── deploy/ # Deployment configs
│ ├── haproxy/ # Load balancer config
│ └── monitoring/ # Prometheus/Grafana
│
├── docker/ # Dockerfiles
│ ├── Dockerfile.control-plane
│ ├── Dockerfile.agent
│ ├── Dockerfile.dashboard
│ └── Dockerfile.agent-builder-alpine
│
└── docs/ # Documentation
├── INDEX.md
├── QUICKSTART.md
└── SECURITY_ARCHITECTURE.md
- Production Monitoring - Continuous security scanning at scale
- Compliance Auditing - Meet HIPAA, PCI DSS, SOC 2 requirements
- Incident Response - Rapid container security assessment
- DevSecOps - CI/CD security gates
- Vulnerability Management - Track and remediate CVEs
- Attack Surface Analysis - Understand container exposure
./start.sh # One-command startup
# or
docker compose up -d # Development modedocker compose --profile ha up -d # 3 control planes + HAProxydocker compose --profile ha --profile ha-with-agent up -ddocker compose --profile ha --profile monitoring up -d# DaemonSet deployment for all nodes
kubectl apply -f k8s/casa-agent-daemonset.yaml- Via Dashboard: Navigate to Agents → Create New Agent
- Via API:
# Login and get token
TOKEN=$(curl -sk -X POST https://localhost:3000/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin"}' | jq -r '.token')
# Create agent
curl -sk -X POST https://localhost:3000/api/v1/agents/generate \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"my-agent","hostname":"server-01","encryption_enabled":true}'| Mode | Description | Use Case |
|---|---|---|
hybrid |
Event-driven + periodic scans | Production (default) |
event-driven |
Only scans on container events | Lightweight, real-time |
periodic |
Only interval-based scans | Legacy, specific needs |
# All flags (credentials can be embedded at build time)
./casa-agent \
--control-plane URL # Control plane URL
--agent-id ID # Agent identifier
--api-key KEY # API key for auth
--hmac-secret SECRET # HMAC secret for signing
--scan-mode MODE # hybrid|event-driven|periodic (default: hybrid)
--scan-interval DURATION # Periodic scan interval (default: 1h)
--heartbeat-interval DUR # Heartbeat interval (default: 30s)
--encrypted-storage PATH # Path for offline result storage# Production uses hybrid mode by default
# Event-driven scans + hourly full audits
./casa-agent
# Equivalent to: --scan-mode=hybrid --scan-interval=1h --heartbeat-interval=30sEvent-driven behavior:
- Scans containers immediately on start (5s delay)
- Full YARA scan on first-seen images (15s delay)
- Full scan after container runs for 5 minutes
- Digest caching prevents redundant scans (24h TTL)
- Rate limited: 50 scans/min, 5 concurrent max
# More frequent scans for faster feedback
./casa-agent \
--scan-mode=periodic \
--scan-interval=5m \
--heartbeat-interval=30s# Event-driven only - minimal resource usage
./casa-agent --scan-mode=event-driven# Install agent
sudo mv casa-agent /usr/local/bin/casa-agent
sudo mkdir -p /etc/casa
# Create /etc/systemd/system/casa-agent.service:[Unit]
Description=CASA Security Agent
After=network.target docker.service
Requires=docker.service
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/casa-agent
Restart=always
RestartSec=10s
Environment=HOME=/root
[Install]
WantedBy=multi-user.target# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable casa-agent
sudo systemctl start casa-agent
# View logs
sudo journalctl -u casa-agent -fThe Agent Builder service creates static binaries with embedded credentials:
# Build via API
curl -k -X POST https://localhost:9001/api/v1/builder/build \
-H "Content-Type: application/json" \
-d '{
"agent_id": "agent-server01-123",
"control_plane_url": "https://control-plane.example.com:8443",
"api_key": "casa_ak_...",
"hmac_secret": "casa_hs_...",
"platform": "linux/amd64",
"encryption_enabled": true
}'Supported platforms:
linux/amd64- Linux x86_64 (static, with YARA)linux/arm64- Linux ARM64 (static, with YARA)darwin/amd64- macOS Inteldarwin/arm64- macOS Apple Siliconwindows/amd64- Windows x64
| Scan Type | Description |
|---|---|
| YARA Scanning | Pattern-based threat detection using customizable rules |
| Secrets Detection | Find exposed credentials (API keys, passwords, tokens) |
| Configuration Audit | Check for dangerous container configurations |
| Vulnerability Validation | Runtime CVE verification |
| Escape Detection | Identify container breakout vectors |
| Network Mapping | Map connectivity and exposed services |
| Factor | Weight | Description |
|---|---|---|
| Docker Socket | 25 | Mounted docker.sock |
| Privileged | 20 | Running in privileged mode |
| Sensitive Data | 15 | Contains sensitive files |
| Critical CVE | 15 | Critical vulnerabilities |
| Internet Facing | 10 | Exposed ports |
| High CVE | 8 | High severity CVEs |
| Root User | 5 | Running as root |
| Secrets Found | 3 | Exposed credentials |
- Privileged containers
- Dangerous capabilities (SYS_ADMIN, NET_ADMIN, etc.)
- Host path mounts
- Docker socket exposure
- Missing security options
- Exposed secrets (API keys, passwords, tokens)
- Malware signatures (via YARA)
- Network attack paths
- Kernel vulnerabilities
POST /api/v1/auth/login # JWT login
POST /api/v1/auth/refresh # Refresh token
GET /api/v1/auth/oauth/providers # List OAuth providers
GET /api/v1/auth/oauth/login # Start OAuth flow
POST /api/v1/auth/change-password # Change password
GET /api/v1/auth/me # Current user infoGET /api/v1/agents # List agents
POST /api/v1/agents/generate # Generate agent config
POST /api/v1/agents/register # Agent self-registration
POST /api/v1/agents/heartbeat # Agent heartbeat
GET /api/v1/crypto/public-key # Get encryption keyPOST /api/v1/results # Submit scan results
POST /api/v1/results/encrypted # Submit encrypted results
GET /api/v1/results/{id} # Get scan result
GET /api/v1/containers # List containers
GET /api/v1/containers/{id} # Get container detailsGET /api/v1/jobs # List scan jobs
POST /api/v1/jobs/create # Create scan job
GET /api/v1/alerts # List alerts
PUT /api/v1/alerts/{id} # Update alert statusPOST /api/v1/ci/auth # Validate CI credentials
POST /api/v1/ci/results # Submit CI scan results
GET /api/v1/ci/results # List CI scan results
GET /api/v1/ci/stats # CI scan statistics
POST /api/v1/ci/keys # Create CI API key (admin)
GET /api/v1/ci/keys # List CI API keys (admin)
DELETE /api/v1/ci/keys/{id} # Revoke CI API key (admin)
GET /api/v1/ci/oidc/providers # List OIDC providers (admin)
PUT /api/v1/ci/oidc/providers/{id} # Update OIDC provider (admin)GET /api/v1/dashboard/stats # Dashboard statistics
GET /api/v1/dashboard/trends # Trend data
GET /api/v1/admin/users # List users (admin)
POST /api/v1/admin/users # Create user (admin)
PUT /api/v1/admin/users/{id} # Update user (admin)
DELETE /api/v1/admin/users/{id} # Delete user (admin)
GET /api/v1/admin/oauth/providers # OAuth config (admin)export PATH=$PATH:/usr/local/go/bin
go build -o bin/casa ./cmd/scanner
go build -o bin/casa-agent ./cmd/agent
go build -o bin/casa-control-plane ./cmd/control-planego test ./...docker-compose up -d
./bin/casa-control-planeCASA can scale to:
- ✅ 1,000+ agents across multiple data centers
- ✅ 10,000+ containers continuous monitoring
- ✅ 100,000+ scans per day with proper infrastructure
# Database
DB_HOST=postgres
DB_PASSWORD=your-secure-password
DB_SSLMODE=require
# API
API_PORT=8080
API_TLS_ENABLED=true
# Agent
CONTROL_PLANE_URL=https://control-plane:8080
SCAN_INTERVAL=5mAll configuration in docker-compose.yml:
- Service settings
- Network configuration
- Volume mounts
- Health checks
# Start platform (standard mode)
./start.sh
# Start in HA mode
docker compose --profile ha up -d
# View logs
docker compose logs -f control-plane-1
# Stop everything
docker compose --profile ha down
# Rebuild all images
docker compose --profile ha build --no-cache
# Database access
docker exec -it casa-postgres psql -U casa -d casa
# Health check (via HAProxy)
curl -sk https://localhost:8443/health
# HAProxy stats
open http://localhost:9000/stats
# View admin password
grep CASA_ADMIN_PASSWORD .envThis is a security tool - contributions should focus on:
- Additional scanning techniques
- Enhanced vulnerability detection
- Performance improvements
- Documentation updates
Provided for security research and authorized testing only.
Built with:
- Go - Core services
- PostgreSQL - Data storage
- Docker - Containerization
- Python - Dashboard server
- Trivy - CVE data
- Documentation: Check docs/INDEX.md
- Quick Start: See docs/QUICKSTART.md
- Troubleshooting: See docs/DOCKER_GUIDE.md
Current Version: 2.0.0
Status: Production Ready
- ✅ YARA-based malware scanning
- ✅ Secrets detection (20+ patterns)
- ✅ Vulnerability validation
- ✅ Configuration auditing
- ✅ Escape detection
- ✅ Event-driven scanning
- ✅ High availability (3-node cluster + HAProxy)
- ✅ Web dashboard (6 pages)
- ✅ REST API (40+ endpoints)
- ✅ Agent failover support
- ✅ Vela, GitHub Actions, GitLab CI support
- ✅ OIDC/JWT authentication (workload identity)
- ✅ HashiCorp Vault integration
- ✅ Scoped CI API keys
- ✅ SBOM centralization
- ✅ SARIF output for GitHub Security
- ✅ TLS/SSL everywhere
- ✅ End-to-end encryption (RSA-4096 + AES-256-GCM)
- ✅ OAuth2/OIDC (Google, GitHub, Microsoft, GitLab, OIDC)
- ✅ RBAC (admin, operator, viewer, auditor)
- ✅ User management with temporary passwords
- ✅ Account lockout protection
- ✅ Audit logging
- ✅ Prometheus metrics
- ✅ Grafana dashboards
- ✅ HAProxy statistics
Get started now:
./start.sh # Standard mode
docker compose --profile ha up -d # HA modeThen open: https://localhost:3000 🚀
CASA is licensed under the Apache License 2.0.
Copyright 2025 CASA Contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.