The agent connects to the Secrux control plane over the Executor Gateway (TLS),
reports heartbeat metrics, receives task_assign messages, and launches Docker
containers for each engine.
This is a Go binary (not a Docker container). The host running the agent must have:
- Docker installed and the daemon running (to launch engine containers)
- Network access to:
- Executor Gateway (default
:5155) - Secrux Server API base URL (for download/upload endpoints)
- Executor Gateway (default
-
Config file (recommended)
Copyconfig.temptoconfig.json, fill your values, then run with-config ./config.json. Example (JSON): -
Flags & environment variables
-server,-server-name,-ca-cert,-token,-insecureoverride the config file.EXECUTOR_TOKENseeds the token if the flag is omitted (useful with.env/ systemdEnvironmentFile).ENGINE_IMAGE_MAP(engine=image,...) andENGINE_SEMGREP_IMAGEoverride individual entries after the file is loaded.
-
Precedence
- Connection/TLS: defaults →
config.json→ flags - Token:
-token→config.json.token→EXECUTOR_TOKEN - Engine images:
config.json.engineImages→ENGINE_IMAGE_MAP→ENGINE_SEMGREP_IMAGE/ENGINE_TRIVY_IMAGE→ defaults - Trivy options: defaults →
config.json.trivy
- Connection/TLS: defaults →
When insecure=false, the agent verifies that the gateway certificate matches serverName (SAN/hostname verification).
For local quickstart, you can generate a certificate pair (with SANs) and make the server use it:
# from repo root
./gen-executor-gateway-certs.sh
docker compose up -d --force-recreate secrux-serverThen set caCertPath to the generated CA (recommended): ../certs/executor-gateway/gateway-ca.crt
and ensure serverName matches one of the SANs (defaults include gateway.secrux.internal and localhost).
server(string): Executor Gateway address, inhost:portformat (TCP over TLS).serverName(string): TLS server name override (SNI + hostname verification). Use this when connecting by IP/alias but the certificate is issued for a DNS name.caCertPath(string): Path to a CA certificate bundle (PEM). When set, it is appended to the system trust store for verifying the gateway certificate.token(string): Provisioned executor token (treat as a password).insecure(bool): Dev only. Skips TLS verification (InsecureSkipVerify=true). The connection is still TLS-encrypted but the gateway identity is not verified (MITM risk). Whentrue,caCertPathis ignored.engineImages(object): Map ofengine -> docker image. Used when a task payload does not include an explicitimage. Keys are case-insensitive.trivy(object): Trivy-specific execution options:sanitizePomRepositories(bool): Removes banned Maven repository URLs frompom.xmlbefore scanning to reduce dependency resolution failures/timeouts.bannedMavenRepoHosts(string[]): Hosts to remove from Maven repository URLs (defaults include Bintray/JCenter).filesystemCopyMode(auto|always|never): Whether to copy the scan source dir before sanitizingpom.xml.mavenRepositoryPath(string): Host path to mount into the Trivy container Maven cache (/root/.m2/repository, read-only).mavenSettingsPath(string): Host path to mount as Mavensettings.xml(/root/.m2/settings.xml, read-only).cacheHostPath(string): Host path for Trivy cache persistence (mounted to/tmp/trivy-cache).inheritProxyEnv(bool): PassesHTTP_PROXY/HTTPS_PROXY/NO_PROXYfrom the host into the Trivy container if not already present in the task env.
EXECUTOR_TOKEN: Seeds-tokenwhen the flag is omitted.ENGINE_IMAGE_MAP: Overrides engine images without editingconfig.json(engine=image,engine2=image2).ENGINE_SEMGREP_IMAGE,ENGINE_TRIVY_IMAGE: Convenience overrides for individual engines.HTTP_PROXY,HTTPS_PROXY,NO_PROXY: Forwarded to Trivy containers whentrivy.inheritProxyEnv=true.
-config: Path toconfig.json.-server: Overrideconfig.json.server.-server-name: Overrideconfig.json.serverName.-ca-cert: Overrideconfig.json.caCertPath.-token: Overrideconfig.json.token/EXECUTOR_TOKEN.-insecure: Overrideconfig.json.insecure.
go test ./...
go build -o executor-agent .
cp config.temp config.json
# edit config.json (server/serverName/caCertPath/token)
./executor-agent -config ./config.jsonIf you prefer keeping the token outside the config file:
cp .env.example .env
set -a; . ./.env; set +a
./executor-agent -config ./config.jsonWhen a task payload omits an explicit Docker image, the agent resolves it from
the combined registry described above. If an engine is missing, the task is
rejected (Semgrep defaults to secrux-semgrep-engine:latest). Use the config
file to define the baseline mapping per executor host and environment
variables for temporary overrides.
The agent prefers a locally available image (Docker inspect) and only pulls
from a registry when the image is missing locally.
{ "server": "gateway.secrux.internal:5155", "serverName": "gateway.secrux.internal", "caCertPath": "../certs/executor-gateway/gateway-ca.crt", "token": "EXECUTOR_TOKEN", "insecure": false, "engineImages": { "semgrep": "ghcr.io/secrux/semgrep:latest", "trivy": "ghcr.io/secrux/trivy:latest", "grype": "ghcr.io/secrux/grype:1.0.2", "dependency-check": "registry.local/dc:2024.10" }, "trivy": { "sanitizePomRepositories": true, "bannedMavenRepoHosts": [ "dl.bintray.com", "jcenter.bintray.com", "repo.bintray.com" ], "filesystemCopyMode": "auto", "mavenRepositoryPath": "~/.m2/repository", "mavenSettingsPath": "~/.m2/settings.xml", "cacheHostPath": "~/.cache/secrux/trivy", "inheritProxyEnv": true } } ``` Note: `token` is a password. Rotate it if leaked. Trivy note: `sanitizePomRepositories` removes dead Maven repositories from `pom.xml` (e.g. Bintray) to avoid Trivy timing out during dependency resolution. `filesystemCopyMode` controls whether the agent copies `source.filesystem.path` into a temp dir before rewriting POMs (`auto` = copy only for local filesystem sources). To reduce network dependence, the agent can mount the host Maven cache (`mavenRepositoryPath`) and Maven settings (`mavenSettingsPath`) into the Trivy container, plus a persistent Trivy cache dir (`cacheHostPath`) for vulnerability DB reuse. Paths support `~` expansion.