Skip to content

Docker Compose

Purpose

On‑premise SailPoint Entro Connector for network‑restricted assets. The connector runs on an EC2/VM using Docker Compose and securely transmits findings metadata to SailPoint Entro.

Supported local resources:

  • Bitbucket Data Center / Server

  • GitLab (self‑hosted)

  • GitHub Enterprise (on‑prem)

  • Atlassian Jira Server / Confluence Server

  • SMB File Shares

  • HashiCorp Vault

Note

When to choose self‑managed Choose self‑managed only if required by your network constraints. Self‑managed instances need manual updates and lack SailPoint Entro cloud uptime monitoring. Prefer SailPoint Entro cloud connectors if possible.

EC2 / VM Instance Requirements

Sizing (Standard)

  • 8 CPU cores

  • 32 GB RAM

  • 64 GB SSD (minimum)

Sizing (Large Orgs)

  • 16 CPU cores

  • 32 GB RAM

  • 64 GB SSD (minimum)

OS / Architecture

  • Amazon Linux 2023

  • Architecture: AMD64

Access & Connectivity

  • Root‑level user access required

  • SSH access to the instance

  • Outbound (egress) Internet communication required

  • Connectivity to target services (GitLab on‑prem, Bitbucket Server, SMB, Vault)

  • Outbound ports: any (*)

Required Software

  • Docker

  • Docker Compose

Files in the Provided Package

When SailPoint Entro provides the connector ZIP it includes:

  • docker-compose.yaml — container definitions

  • .env — general docker configuration

  • .env-connector — connector configuration

  • .env-scanner — scanner configuration

  • .env-nats — NATS configuration

Installation (Step-By-Step)

  1. Receive the package

    Receive ZIP via 1Password from SailPoint Entro.

  2. Prepare host

    unzip docker-compose.zip
    cd docker-compose
    
  3. Edit connector environment

    Edit .env-connector and populate values provided by SailPoint Entro:

    AWS_ACCESS_KEY_ID=
    AWS_SECRET_ACCESS_KEY=
    AWS_REGION=
    OUTPUT_BUCKET=
    SQS_QUEUE_URL=
    REDSHIFT_BUCKET=
    LOG_STREAMER_LOG_STREAM=
    LOG_STREAMER_LOG_GROUP=
    LOG_STREAMER_TYPE=cloudwatch
    LOG_STREAMER_ENABLED=true
    
    # If using encrypted secrets:
    SECRET_PRIVATE_KEY=
    
    # If using a HTTP/HTTPS Proxy:
    HTTP_PROXY=
    NO_PROXY= //addresses to bypass proxy
    
  4. Authenticate to SailPoint Entro container registry

    Replace <GITHUB_TOKEN> with token SailPoint Entro provided:

    echo <GITHUB_TOKEN> | docker login ghcr.io -u entro-registry --password-stdin
    
  5. Pull and start containers

    docker compose pull
    docker compose up -d
    
  6. Verify

    docker compose ps
    docker compose logs -f
    

Custom Mounts (Required Volumes)

Starting v2.0 the connector requires these volumes:

  • var/nats : 10 GB minimum — message queue storage

  • /clones : 20 GB minimum — repository clone storage (when scanning repos)

Create mounts on the host and bind them into the container as shown in docker-compose.yaml.

Upgrade Instructions

To upgrade images either use :latest tags or pin versions.

Example env variables to pin exact versions:

CONNECTOR_IMAGE=ghcr.io/entro-security-registry/entro-connector:2.6.10
SCANNER_IMAGE=ghcr.io/entro-security-registry/entro-scanner:1.7.5
TIKA_IMAGE=ghcr.io/entro-security-registry/entro-tika:1.7.0
NATS_IMAGE=ghcr.io/entro-security-registry/entro-nats-{arch}:1.7.0

Upgrade procedure:

# stop
docker compose down

# pull new images
docker compose pull

# restart
docker compose up -d

Notes & Operational Tips

  • Coordinate credential, token, and certificate handling with SailPoint Entro.

  • Monitor disk usage for var/nats and /clones.

  • For large organizations, scale CPU and memory per the "large orgs" sizing above.

  • For custom mounts or advanced host configuration, contact SailPoint Entro for guidance.

Architecture (ASCII)

View architecture diagram

EC2 / VM host (Docker)
 └─ Entro Connector containers
     ├─ connector
     ├─ scanner
     ├─ tika
     └─ nats
Outbound HTTPS -> Entro API (findings metadata)
Local access -> Target services (GitLab, Bitbucket, SMB, Vault)