sync code

2025-11-16 01:12:18 +03:00 · 2025-08-08 11:43:34 +00:00 · 2025-08-08 11:10:26 +00:00 · 2025-08-08 11:06:28 +00:00
35 changed files with 62 additions and 279 deletions
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6629/badge)](https://bestpractices.coreinfrastructure.org/projects/6629)

 # About
-[open-appsec](https://www.openappsec.io) (openappsec.io) builds on machine learning to provide preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Linux, Docker or K8s deployments, on NGINX, Kong, APISIX, or Envoy.
+[open-appsec](https://www.openappsec.io) (openappsec.io) builds on machine learning to provide preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy (soon), and API Gateways.

 The open-appsec engine learns how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and conducts further analysis to decide whether the request is malicious or not.

@@ -39,13 +39,13 @@ open-appsec can be managed using multiple methods:
 * [Using SaaS Web Management](https://docs.openappsec.io/getting-started/using-the-web-ui-saas)

 open-appsec Web UI:
-<img width="1854" height="775" alt="image" src="https://github.com/user-attachments/assets/4c6f7b0a-14f3-4f02-9ab0-ddadc9979b8d" />
-
+![image](https://github.com/openappsec/openappsec/assets/114033741/22d99379-df52-45c8-984f-1b820635f3b9)


 ## Deployment Playgrounds (Virtual labs)
 You can experiment with open-appsec using [Playgrounds](https://www.openappsec.io/playground)
-<img width="781" height="878" alt="image" src="https://github.com/user-attachments/assets/0ddee216-5cdf-4288-8c41-cc28cfbf3297" />
+
+![image](https://github.com/openappsec/openappsec/assets/114033741/14d35d69-4577-48fc-ae87-ea344888e94d)

 # Resources
 * [Project Website](https://openappsec.io)
@@ -54,15 +54,21 @@ You can experiment with open-appsec using [Playgrounds](https://www.openappsec.i

 # Installation

-For Kubernetes (NGINX /Kong / APISIX / Istio) using Helm: follow [documentation](https://docs.openappsec.io/getting-started/start-with-kubernetes)
+For Kubernetes (NGINX Ingress) using the installer:

-For Linux (NGINX / Kong / APISIX) using the installer (list of supported/pre-compiled NGINX attachments is available [here](https://downloads.openappsec.io/packages/supported-nginx.txt)):
+```bash
+$ wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
+$ ./open-appsec-k8s-install
+```
+
+For Kubernetes (NGINX or Kong) using Helm: follow [documentation](https://docs.openappsec.io/getting-started/start-with-kubernetes/install-using-helm-ingress-nginx-and-kong) – use this method if you’ve built your own containers. 
+
+For Linux (NGINX or Kong) using the installer (list of supported/pre-compiled NGINX attachments is available [here](https://downloads.openappsec.io/packages/supported-nginx.txt)):

 ```bash
 $ wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install
 $ ./open-appsec-install --auto
 ```
-For kong Lua Based plug in follow [documentation](https://docs.openappsec.io/getting-started/start-with-linux)

 For Linux, if you’ve built your own package use the following commands:

--- a/build_system/docker/Dockerfile
+++ b/build_system/docker/Dockerfile
@@ -13,10 +13,8 @@ RUN apk add --no-cache libunwind
 RUN apk add --no-cache gdb
 RUN apk add --no-cache libxml2
 RUN apk add --no-cache pcre2
-RUN apk add --no-cache ca-certificates
 RUN apk add --update coreutils

-
 COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json

 COPY install*.sh /nano-service-installers/
--- a/build_system/docker/entry.sh
+++ b/build_system/docker/entry.sh
@@ -15,28 +15,13 @@ var_mode=
 var_token=
 var_ignore=
 init=
-active_watchdog_pid=
-
-cleanup() {
-    local signal="$1"
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Signal ${signal} was received, exiting gracefully..." >&2
-    if [ -n "${active_watchdog_pid}" ] && ps -p ${active_watchdog_pid} > /dev/null 2>&1; then
-        kill -TERM ${active_watchdog_pid} 2>/dev/null || true
-        wait ${active_watchdog_pid} 2>/dev/null || true
-    fi
-    echo "Cleanup completed. Exiting now." >&2
-    exit 0
-}
-
-trap 'cleanup SIGTERM' SIGTERM
-trap 'cleanup SIGINT' SIGINT

 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
    echo "Error: agent installation package doesn't exist."
    exit 1
 fi

-if [ -z "$1" ]; then
+if [ -z $1 ]; then
    var_mode="--hybrid_mode"
 fi

@@ -60,30 +45,30 @@ while true; do
    shift
 done

-if [ -z "$var_token" ] && [ "$var_mode" != "--hybrid_mode" ]; then
+if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
    var_token=$(env | grep 'AGENT_TOKEN=' | cut -d'=' -f2-)
-    if  [ -z "$var_token" ]; then
+    if  [ -z $var_token ]; then
        echo "Error: Token was not provided as input argument."
        exit 1
    fi
 fi

 orchestration_service_installation_flags="--container_mode --skip_registration"
-if [ -n "$var_token" ]; then
+if [ ! -z $var_token ]; then
    export AGENT_TOKEN="$var_token"
    orchestration_service_installation_flags="$orchestration_service_installation_flags --token $var_token"
 fi
-if [ -n "$var_fog_address" ]; then
+if [ ! -z $var_fog_address ]; then
    orchestration_service_installation_flags="$orchestration_service_installation_flags --fog $var_fog_address"
 fi
-if [ -n "$var_proxy" ]; then
+if [ ! -z $var_proxy ]; then
    orchestration_service_installation_flags="$orchestration_service_installation_flags --proxy $var_proxy"
 fi

-if [ -n "$var_mode" ]; then
+if [ ! -z $var_mode ]; then
    orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode"
 fi
-if [ -n "$var_ignore" ]; then
+if [ ! -z "$var_ignore" ]; then
    orchestration_service_installation_flags="$orchestration_service_installation_flags $var_ignore"
 fi

@@ -114,7 +99,7 @@ fi
 # use advanced model if exist as data for agent
 FILE=/advanced-model/open-appsec-advanced-model.tgz
 if [ -f "$FILE" ]; then
-    tar -xzvf "$FILE" -C /etc/cp/conf/waap
+    tar -xzvf $FILE -C /etc/cp/conf/waap
 fi

 touch /etc/cp/watchdog/wd.startup
--- a/components/security_apps/waap/waap_clib/CMakeLists.txt
+++ b/components/security_apps/waap/waap_clib/CMakeLists.txt
@@ -12,7 +12,6 @@ add_library(waap_clib
    ParserJson.cc
    ParserMultipartForm.cc
    ParserRaw.cc
-    ParserGzip.cc
    ParserUrlEncode.cc
    ParserXML.cc
    ParserDelimiter.cc
--- a/components/security_apps/waap/waap_clib/DeepParser.cc
+++ b/components/security_apps/waap/waap_clib/DeepParser.cc
@@ -22,7 +22,6 @@
 #include "ParserXML.h"
 #include "ParserHTML.h"
 #include "ParserBinary.h"
-#include "ParserGzip.h"
 #include "ParserMultipartForm.h"
 #include "ParserPercentEncode.h"
 #include "ParserPairs.h"
@@ -1262,10 +1261,6 @@ DeepParser::createInternalParser(
        dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse an HTML file";
        m_parsersDeque.push_back(std::make_shared<BufferedParser<ParserHTML>>(*this, parser_depth + 1));
        offset = 0;
-    } else if (isBodyPayload && Waap::Util::isGzipped(cur_val)){
-        dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse a gzip file";
-        m_parsersDeque.push_back(std::make_shared<BufferedParser<ParserGzip>>(*this, parser_depth + 1));
-        offset = 0;
    } else if (cur_val.size() > 0 && signatures->php_serialize_identifier.hasMatch(cur_val)) {
        // PHP value detected
        dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse phpSerializedData";
--- a/components/security_apps/waap/waap_clib/ParserGzip.cc
+++ b/components/security_apps/waap/waap_clib/ParserGzip.cc
@@ -1,115 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ParserGzip.h"
-#include "debug.h"
-
-USE_DEBUG_FLAG(D_WAAP_PARSER_GZIP);
-
-const std::string ParserGzip::m_parserName = "ParserGzip";
-
-ParserGzip::ParserGzip(IParserStreamReceiver &receiver, size_t parser_depth)
-:m_receiver(receiver), m_key("gzip"), m_state(s_start), m_stream(nullptr) {
-}
-
-ParserGzip::~ParserGzip() {
-    if (m_stream != nullptr) {
-        finiCompressionStream(m_stream);
-        m_stream = nullptr;
-    }
-}
-
-size_t ParserGzip::push(const char *buf, size_t len) {
-    dbgTrace(D_WAAP_PARSER_GZIP) << "len=" << (unsigned long int)len << ")";
-
-    if (len == 0) {
-        dbgTrace(D_WAAP_PARSER_GZIP) << "end of data signal! m_state=" << m_state;
-
-        // flush
-        if (m_state != s_start) { // only emit if at least something was pushed
-            if (m_receiver.onKvDone() != 0) {
-                m_state = s_error;
-            }
-        }
-
-        return 0;
-    }
-    DecompressionResult res;
-    switch (m_state) {
-    case s_start:
-        dbgTrace(D_WAAP_PARSER_GZIP) << "s_start";
-        if (m_receiver.onKey(m_key.data(), m_key.size()) != 0) {
-            m_state = s_error;
-            return 0;
-        }
-        m_stream = initCompressionStream();
-        m_state = s_forward;
-        // fallthrough //
-        CP_FALL_THROUGH;
-    case s_forward:
-        dbgTrace(D_WAAP_PARSER_GZIP) << "s_forward";
-        res = decompressData(
-            m_stream,
-            len,
-            reinterpret_cast<const unsigned char *>(buf));
-        dbgTrace(D_WAAP_PARSER_GZIP) << "res: " << res.ok
-            << ", size: " << res.num_output_bytes
-            << ", is last: " << res.is_last_chunk;
-
-        if (!res.ok) {
-            m_state = s_error;
-            break;
-        }
-
-        if (res.num_output_bytes != 0 &&
-                m_receiver.onValue(reinterpret_cast<const char *>(res.output), res.num_output_bytes) != 0) {
-            m_state = s_error;
-            break;
-        }
-
-        if (res.is_last_chunk) {
-            m_state = s_done;
-            break;
-        }
-        break;
-    case s_done:
-        if (len > 0) {
-            dbgTrace(D_WAAP_PARSER_GZIP) << " unexpected data after completion, len=" << len;
-            m_state = s_error;
-            return 0; // Return 0 to indicate error
-        }
-        break;
-    case s_error:
-        dbgTrace(D_WAAP_PARSER_GZIP) << "s_error";
-        return 0;
-    }
-
-    return len;
-}
-
-void ParserGzip::finish() {
-    push(NULL, 0);
-    if (m_state != s_done) {
-        m_state = s_error;
-        return;
-    }
-}
-
-const std::string &
-ParserGzip::name() const {
-    return m_parserName;
-}
-
-bool ParserGzip::error() const {
-    return m_state == s_error;
-}
--- a/components/security_apps/waap/waap_clib/ParserGzip.h
+++ b/components/security_apps/waap/waap_clib/ParserGzip.h
@@ -1,46 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef __PARSER_GZIP_H_
-#define __PARSER_GZIP_H_
-
-#include "ParserBase.h"
-#include <string.h>
-#include "compression_utils.h"
-
-class ParserGzip : public ParserBase {
-public:
-    ParserGzip(IParserStreamReceiver &receiver, size_t parser_depth);
-    virtual ~ParserGzip();
-    size_t push(const char *data, size_t data_len);
-    void finish();
-    virtual const std::string &name() const;
-    bool error() const;
-    virtual size_t depth() { return 1; }
-private:
-    enum state {
-        s_start,
-        s_forward,
-        s_done,
-        s_error
-    };
-
-    IParserStreamReceiver &m_receiver;
-    std::string m_key;
-    state m_state;
-    CompressionStream * m_stream;
-
-    static const std::string m_parserName;
-};
-
-#endif // __PARSER_GZIP_H_
--- a/components/security_apps/waap/waap_clib/Serializator.cc
+++ b/components/security_apps/waap/waap_clib/Serializator.cc
@@ -44,6 +44,14 @@ static const string defaultSharedStorageHost = "appsec-shared-storage-svc";
 #define SHARED_STORAGE_HOST_ENV_NAME "SHARED_STORAGE_HOST"
 #define LEARNING_HOST_ENV_NAME "LEARNING_HOST"

+static bool
+isGZipped(const string &stream)
+{
+    if (stream.size() < 2) return false;
+    auto unsinged_stream = reinterpret_cast<const u_char *>(stream.data());
+    return unsinged_stream[0] == 0x1f && unsinged_stream[1] == 0x8b;
+}
+
 void yieldIfPossible(const string& func, int line)
 {
    // Check if we are in the main loop
@@ -65,7 +73,7 @@ bool RestGetFile::loadJson(const string& json)
    string json_str;

    json_str = json;
-    if (!Waap::Util::isGzipped(json_str))
+    if (!isGZipped(json_str))
    {
        return ClientRest::loadJson(json_str);
    }
@@ -335,7 +343,7 @@ void SerializeToFileBase::saveData()
 }

 string decompress(string fileContent) {
-    if (!Waap::Util::isGzipped(fileContent)) {
+    if (!isGZipped(fileContent)) {
        dbgTrace(D_WAAP_SERIALIZE) << "file note zipped";
        return fileContent;
    }
--- a/components/security_apps/waap/waap_clib/WaapValueStatsAnalyzer.cc
+++ b/components/security_apps/waap/waap_clib/WaapValueStatsAnalyzer.cc
@@ -103,7 +103,7 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
    bool lastNul = false; // whether last processed character was ASCII NUL
    size_t curValLength = cur_val.length();

-    if (curValLength == 0 || Waap::Util::isGzipped(cur_val)) {
+    if (curValLength == 0) {
        canSplitSemicolon = false;
        canSplitPipe = false;
        return;
--- a/components/security_apps/waap/waap_clib/Waf2Util.cc
+++ b/components/security_apps/waap/waap_clib/Waf2Util.cc
@@ -1912,17 +1912,6 @@ base64Decode(const string &input)
    return out;
 }

-bool
-isGzipped(const string &stream)
-{
-    if (stream.size() < 2) return false;
-    auto unsinged_stream = reinterpret_cast<const u_char *>(stream.data());
-    dbgTrace(D_WAAP) << "isGzipped: first two bytes: "
-        << std::hex << static_cast<int>(unsinged_stream[0]) << " "
-        << std::hex << static_cast<int>(unsinged_stream[1]);
-    return unsinged_stream[0] == 0x1f && unsinged_stream[1] == 0x8b;
-}
-
 bool
 containsInvalidUtf8(const string &payload)
 {
--- a/components/security_apps/waap/waap_clib/Waf2Util.h
+++ b/components/security_apps/waap/waap_clib/Waf2Util.h
@@ -1135,7 +1135,6 @@ namespace Util {
    std::string obfuscateXor(const std::string& toEncrypt);
    std::string obfuscateXorBase64(const std::string& toEncrypt);

-    bool isGzipped(const std::string &stream);
    bool containsInvalidUtf8(const std::string &payload);

    bool containsPercentEncoding(const std::string &payload);
--- a/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml
+++ b/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml
@@ -40,7 +40,7 @@ spec:
        stdout:
            format: json
        cef-service: []
---
+--
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
  web-attacks:
    minimum-confidence: high
    override-mode: detect-learn
---
+--
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:
--- a/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml
+++ b/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml
@@ -40,7 +40,7 @@ spec:
        stdout:
            format: json
        cef-service: []
---
+--
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
  web-attacks:
    minimum-confidence: high
    override-mode: prevent-learn
---
+--
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:
--- a/core/include/services_sdk/resources/debug_flags.h
+++ b/core/include/services_sdk/resources/debug_flags.h
@@ -106,7 +106,6 @@ DEFINE_FLAG(D_COMPONENT, D_ALL)
            DEFINE_FLAG(D_WAAP_PARSER_GQL, D_WAAP_PARSER)
            DEFINE_FLAG(D_WAAP_PARSER_MULTIPART_FORM, D_WAAP_PARSER)
            DEFINE_FLAG(D_WAAP_PARSER_RAW, D_WAAP_PARSER)
-            DEFINE_FLAG(D_WAAP_PARSER_GZIP, D_WAAP_PARSER)
            DEFINE_FLAG(D_WAAP_PARSER_URLENCODE, D_WAAP_PARSER)
            DEFINE_FLAG(D_WAAP_PARSER_PHPSERIALIZE, D_WAAP_PARSER)
            DEFINE_FLAG(D_WAAP_PARSER_PERCENT, D_WAAP_PARSER)
--- a/core/messaging/connection/connection.cc
+++ b/core/messaging/connection/connection.cc
@@ -262,29 +262,6 @@ public:
    }

 private:
-    string
-    getCertificateDirectory()
-    {
-        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
-
-        if (details_ssl_dir.ok()) {
-            return *details_ssl_dir;
-        }
-
-        // Use detail_resolver to determine platform-specific certificate directory
-#if defined(alpine)
-       string platform = "alpine";
-#else
-       string platform = "linux";
-#endif
-
-        if (platform == "alpine") {
-            return "/etc/ssl/certs/";
-        }
-
-        return "/usr/lib/ssl/certs/";
-    }
-
    Maybe<void>
    setSSLContext()
    {
@@ -319,11 +296,10 @@ private:
        }

        dbgTrace(D_CONNECTION) << "Setting CA authentication";
-
-        auto default_ssl_dir = getCertificateDirectory();
-        auto configured_ssl_dir =
-            getProfileAgentSettingWithDefault<string>(default_ssl_dir, "agent.config.message.capath");
-        const char *ca_dir = configured_ssl_dir.empty() ? "/usr/lib/ssl/certs/" : configured_ssl_dir.c_str();
+        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
+        auto openssl_dir = details_ssl_dir.ok() ? *details_ssl_dir : "/usr/lib/ssl/certs/";
+        auto configured_ssl_dir = getConfigurationWithDefault(openssl_dir, "message", "Trusted CA directory");
+        const char *ca_dir = configured_ssl_dir.empty() ? nullptr : configured_ssl_dir.c_str();

        if (SSL_CTX_load_verify_locations(ssl_ctx.get(), ca_path.c_str(), ca_dir) != 1) {
            return genError("Failed to load certificate locations");
--- a/deployment/docker-compose/apisix/.env
+++ b/deployment/docker-compose/apisix/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file:
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/apisix/docker-compose.yaml
+++ b/deployment/docker-compose/apisix/docker-compose.yaml
@@ -103,14 +103,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: always
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/envoy/.env
+++ b/deployment/docker-compose/envoy/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/envoy/docker-compose.yaml
+++ b/deployment/docker-compose/envoy/docker-compose.yaml
@@ -109,14 +109,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/kong-lua-plugin/.env
+++ b/deployment/docker-compose/kong-lua-plugin/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/kong-lua-plugin/docker-compose.yaml
+++ b/deployment/docker-compose/kong-lua-plugin/docker-compose.yaml
@@ -28,7 +28,7 @@ services:
      - user_email=${APPSEC_USER_EMAIL}
      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
-      - registered_server=KongLua
+      - registered_server=Kong
    ipc: shareable
    restart: unless-stopped
    volumes:
@@ -106,14 +106,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/kong/.env
+++ b/deployment/docker-compose/kong/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/kong/docker-compose.yaml
+++ b/deployment/docker-compose/kong/docker-compose.yaml
@@ -106,14 +106,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env
+++ b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data
--- a/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml
+++ b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml
@@ -103,14 +103,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/nginx-proxy-manager/.env
+++ b/deployment/docker-compose/nginx-proxy-manager/.env
@@ -21,7 +21,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data
--- a/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml
+++ b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml
@@ -106,14 +106,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/nginx-unified/.env
+++ b/deployment/docker-compose/nginx-unified/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/nginx-unified/docker-compose.yaml
+++ b/deployment/docker-compose/nginx-unified/docker-compose.yaml
@@ -96,14 +96,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/nginx/.env
+++ b/deployment/docker-compose/nginx/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided
--- a/deployment/docker-compose/nginx/docker-compose.yaml
+++ b/deployment/docker-compose/nginx/docker-compose.yaml
@@ -108,14 +108,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/docker-compose/swag/.env
+++ b/deployment/docker-compose/swag/.env
@@ -23,7 +23,6 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-APPSEC_POSTGRES_VERSION=18

 ## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file 
 SWAG_CONFIG=./swag-config
--- a/deployment/docker-compose/swag/docker-compose.yaml
+++ b/deployment/docker-compose/swag/docker-compose.yaml
@@ -117,14 +117,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${APPSEC_POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
  juiceshop-backend:
--- a/deployment/nginx/.env
+++ b/deployment/nginx/.env
@@ -15,7 +15,6 @@ USER_EMAIL=user@email.com
 DB_PASSWORD=pass
 DB_USER=postgres
 DB_HOST=appsec-db
-POSTGRES_VERSION=18
 POSTGRES_STORAGE=./postgres-data
 NGINX_CONF_DIR=./nginx-proxy-config

--- a/deployment/nginx/docker-compose.yaml
+++ b/deployment/nginx/docker-compose.yaml
@@ -81,14 +81,14 @@ services:
  appsec-db:
    profiles:
      - standalone
-    image: postgres:${POSTGRES_VERSION}
+    image: postgres
    container_name: appsec-db
    restart: always
    environment:
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_USER=${DB_USER} 
    volumes:
-      - ${POSTGRES_STORAGE}:/var/lib/postgresql
+      - ${POSTGRES_STORAGE}:/var/lib/postgresql/data

 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
 ##
Author	SHA1	Message	Date
Ned Wright	1023b82c2f	sync code	2025-08-08 11:43:34 +00:00
Ned Wright	e4747ede14	sync code	2025-08-08 11:10:26 +00:00
Ned Wright	da20943c09	sync code	2025-08-08 11:06:28 +00:00