Spaces:
Running
Running
| # ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| # HexStrike AI on Hugging Face Spaces β Debian bookworm base (no Kali) | |
| # | |
| # Installs the full HexStrike-recommended toolset in cache-friendly layers. | |
| # Final image ~6β9 GB, well under HF Spaces' 50 GB ephemeral root quota. | |
| # | |
| # β οΈ Non-root limitations on HF Spaces (UID 1000, no CAP_NET_RAW): | |
| # * masscan, responder, rustscan-SYN, nmap -sS/-sU/-O β installed but will | |
| # fail at runtime with "permission denied". They're included so HexStrike | |
| # doesn't error on "tool not found"; just don't have the LLM call them. | |
| # Use nmap -sT (TCP connect) instead. | |
| # ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| FROM python:3.11-slim-bookworm | |
| ENV DEBIAN_FRONTEND=noninteractive \ | |
| PYTHONUNBUFFERED=1 \ | |
| PIP_NO_CACHE_DIR=1 \ | |
| PIP_BREAK_SYSTEM_PACKAGES=1 \ | |
| LANG=C.UTF-8 \ | |
| HF_HOME=/home/user/.cache/huggingface \ | |
| GOPATH=/opt/go \ | |
| PATH="/opt/go/bin:/usr/local/bin:/root/.local/bin:${PATH}" | |
| # ββ Enable contrib + non-free (nikto and friends live there) ββββββββββββββββ | |
| RUN printf '%s\n' \ | |
| 'deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware' \ | |
| 'deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware' \ | |
| 'deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware' \ | |
| > /etc/apt/sources.list | |
| # ββ Layer 1: build essentials + general utilities βββββββββββββββββββββββββββ | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| ca-certificates curl wget git jq unzip xz-utils tar gzip gnupg \ | |
| build-essential pkg-config \ | |
| python3-dev python3-pip pipx \ | |
| ruby ruby-dev rubygems \ | |
| default-jre-headless \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # ββ Layer 2: network & reconnaissance (apt) βββββββββββββββββββββββββββββββββ | |
| # Dropped from this list because they don't exist in Debian bookworm main: | |
| # * amass β installed below from upstream Go release | |
| # * responder β installed below via pipx (Responder is on PyPI) | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| nmap masscan \ | |
| dnsutils whois \ | |
| dnsenum fierce \ | |
| netcat-openbsd \ | |
| smbclient \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # ββ Layer 2b: amass from upstream Go release ββββββββββββββββββββββββββββββββ | |
| ARG AMASS_VERSION=4.2.0 | |
| RUN curl -fsSL -o /tmp/amass.zip \ | |
| "https://github.com/owasp-amass/amass/releases/download/v${AMASS_VERSION}/amass_Linux_amd64.zip" \ | |
| && unzip -o /tmp/amass.zip -d /tmp/amass \ | |
| && mv /tmp/amass/amass_Linux_amd64/amass /usr/local/bin/amass \ | |
| && chmod +x /usr/local/bin/amass \ | |
| && rm -rf /tmp/amass /tmp/amass.zip | |
| # ββ Layer 3: web app security (apt) βββββββββββββββββββββββββββββββββββββββββ | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| gobuster ffuf dirb \ | |
| nikto whatweb wafw00f \ | |
| sqlmap \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # ββ Layer 4: password & auth tools (apt) ββββββββββββββββββββββββββββββββββββ | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| hydra medusa patator \ | |
| john hashcat \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # ββ Layer 5: binary analysis / RE (apt) βββββββββββββββββββββββββββββββββββββ | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| gdb \ | |
| binwalk foremost steghide \ | |
| binutils file \ | |
| libimage-exiftool-perl \ | |
| checksec \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # ββ Layer 6: Chromium for HexStrike's BrowserAgent ββββββββββββββββββββββββββ | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| chromium chromium-driver \ | |
| fonts-liberation libnss3 \ | |
| && rm -rf /var/lib/apt/lists/* | |
| ENV CHROME_BIN=/usr/bin/chromium \ | |
| CHROMEDRIVER=/usr/bin/chromedriver | |
| # ββ Layer 7: ProjectDiscovery + Rust binaries (GitHub releases) βββββββββββββ | |
| ARG NUCLEI_VERSION=3.3.7 | |
| ARG SUBFINDER_VERSION=2.6.6 | |
| ARG HTTPX_VERSION=1.6.9 | |
| ARG KATANA_VERSION=1.1.0 | |
| ARG NAABU_VERSION=2.3.2 | |
| ARG FEROXBUSTER_VERSION=2.11.0 | |
| ARG RUSTSCAN_VERSION=2.3.0 | |
| RUN set -eux; \ | |
| cd /tmp; \ | |
| for spec in \ | |
| "nuclei|${NUCLEI_VERSION}" \ | |
| "subfinder|${SUBFINDER_VERSION}" \ | |
| "httpx|${HTTPX_VERSION}" \ | |
| "katana|${KATANA_VERSION}" \ | |
| "naabu|${NAABU_VERSION}" \ | |
| ; do \ | |
| name=${spec%|*}; ver=${spec#*|}; \ | |
| curl -fsSL -o pkg.zip \ | |
| "https://github.com/projectdiscovery/${name}/releases/download/v${ver}/${name}_${ver}_linux_amd64.zip"; \ | |
| unzip -o pkg.zip -d /usr/local/bin/ "${name}"; \ | |
| chmod +x "/usr/local/bin/${name}"; \ | |
| rm pkg.zip; \ | |
| done; \ | |
| curl -fsSL -o ferox.zip \ | |
| "https://github.com/epi052/feroxbuster/releases/download/v${FEROXBUSTER_VERSION}/x86_64-linux-feroxbuster.zip"; \ | |
| unzip -o ferox.zip -d /usr/local/bin/ feroxbuster && chmod +x /usr/local/bin/feroxbuster && rm ferox.zip; \ | |
| curl -fsSL -o /tmp/rustscan.deb \ | |
| "https://github.com/bee-san/RustScan/releases/download/${RUSTSCAN_VERSION}/rustscan_${RUSTSCAN_VERSION}_amd64.deb"; \ | |
| (dpkg -i /tmp/rustscan.deb || (apt-get update && apt-get install -fy && rm -rf /var/lib/apt/lists/*)); \ | |
| rm /tmp/rustscan.deb | |
| # ββ Layer 8: Python-based security tools (pipx, isolated venvs) βββββββββββββ | |
| # pipx gives each tool its own venv so conflicting deps can't fight. | |
| # `|| echo warn` keeps a transient PyPI hiccup from killing the whole build. | |
| ENV PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin | |
| RUN pipx ensurepath && \ | |
| for tool in \ | |
| dirsearch \ | |
| arjun \ | |
| paramspider \ | |
| theharvester \ | |
| autorecon \ | |
| enum4linux-ng \ | |
| netexec \ | |
| impacket \ | |
| volatility3 \ | |
| Responder \ | |
| hashid \ | |
| ; do \ | |
| pipx install --pip-args="--no-cache-dir" "$tool" || echo "[warn] pipx failed for $tool"; \ | |
| done | |
| # ββ Layer 9: dalfox (Go binary via official installer) ββββββββββββββββββββββ | |
| RUN curl -fsSL https://raw.githubusercontent.com/hahwul/dalfox/main/scripts/install.sh \ | |
| | bash -s -- -b /usr/local/bin || echo "[warn] dalfox install failed" | |
| # ββ Layer 10: Ruby gems: evil-winrm, wpscan βββββββββββββββββββββββββββββββββ | |
| RUN gem install --no-document evil-winrm wpscan || echo "[warn] gem install partial failure" | |
| # ββ Layer 11: cloud / container security ββββββββββββββββββββββββββββββββββββ | |
| RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \ | |
| | gpg --dearmor -o /usr/share/keyrings/trivy.gpg && \ | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb bookworm main" \ | |
| > /etc/apt/sources.list.d/trivy.list && \ | |
| apt-get update && apt-get install -y --no-install-recommends trivy && \ | |
| rm -rf /var/lib/apt/lists/* | |
| RUN pipx install prowler || echo "[warn] prowler install failed" | |
| RUN pipx install scoutsuite || echo "[warn] scoutsuite install failed" | |
| RUN pipx install kube-hunter || echo "[warn] kube-hunter install failed" | |
| ARG KUBEBENCH_VERSION=0.10.1 | |
| RUN curl -fsSL -o /tmp/kb.tgz \ | |
| "https://github.com/aquasecurity/kube-bench/releases/download/v${KUBEBENCH_VERSION}/kube-bench_${KUBEBENCH_VERSION}_linux_amd64.tar.gz" \ | |
| && tar -xzf /tmp/kb.tgz -C /usr/local/bin/ kube-bench \ | |
| && chmod +x /usr/local/bin/kube-bench && rm /tmp/kb.tgz | |
| RUN git clone --depth 1 https://github.com/docker/docker-bench-security.git \ | |
| /opt/docker-bench-security || echo "[warn] docker-bench clone failed" | |
| # ββ Layer 12: SecLists wordlists + HexStrike-expected paths βββββββββββββββββ | |
| RUN mkdir -p /usr/share/wordlists/dirb \ | |
| && (curl -fsSL -o /usr/share/wordlists/dirb/common.txt \ | |
| https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt \ | |
| || curl -fsSL -o /usr/share/wordlists/dirb/common.txt \ | |
| https://raw.githubusercontent.com/3ndG4me/KaliLists/master/dirb/common.txt) \ | |
| && test -s /usr/share/wordlists/dirb/common.txt | |
| # ββ Layer 13: non-root user (HF Spaces requires UID 1000) βββββββββββββββββββ | |
| RUN useradd -m -u 1000 user \ | |
| && mkdir -p /home/user/.local/bin \ | |
| && chown -R user:user /home/user | |
| USER user | |
| WORKDIR /home/user/app | |
| # Root-installed pipx binaries are in /usr/local/bin (PIPX_BIN_DIR) already. | |
| # Add user's local pip bin too. | |
| ENV PATH="/home/user/.local/bin:/usr/local/bin:${PATH}" | |
| # ββ Layer 14: HexStrike source + its own Python deps + mcp-proxy ββββββββββββ | |
| RUN git clone --depth 1 https://github.com/0x4m4/hexstrike-ai.git hexstrike | |
| COPY --chown=user:user requirements.txt . | |
| RUN pip install --user --no-cache-dir flask gunicorn psutil requests aiohttp bs4 \ | |
| && pip install --user --no-cache-dir -r requirements.txt \ | |
| && pip install --user --no-cache-dir -r hexstrike/requirements.txt || true | |
| # ββ Layer 15: entrypoint ββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| COPY --chown=user:user entrypoint.sh app.py ./ | |
| RUN chmod +x entrypoint.sh | |
| RUN chmod +x app.py | |
| EXPOSE 7860 | |
| CMD ["./entrypoint.sh"] | |