#!/usr/bin/env bash set -euo pipefail TARGET_ROOT="${1:-.}" BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}" BLACKSHIELD_VMS_IMAGE="${BLACKSHIELD_VMS_IMAGE:-public.ecr.aws/blackshield-security/vms-scanner:1.0.6}" mkdir -p "$TARGET_ROOT/deploy/vm-scanner" cat > "$TARGET_ROOT/deploy/vm-scanner/docker-compose.yml" <<'EOF' services: blackshield-vms-scanner: image: ${BLACKSHIELD_VMS_IMAGE} restart: unless-stopped env_file: - .env.vm-scanner ports: - "8080:8080" volumes: - ${VM_ALERTS_DIR}:/var/ossec/logs/alerts:ro - vm-scanner-state:/tmp/vms-state healthcheck: test: [ "CMD", "python", "-c", "import urllib.request,sys; resp=urllib.request.urlopen('http://127.0.0.1:8080/health',timeout=3); sys.exit(0 if resp.status==200 else 1)", ] interval: 30s timeout: 5s retries: 3 start_period: 15s volumes: vm-scanner-state: {} EOF if [ ! -f "$TARGET_ROOT/deploy/vm-scanner/.env.vm-scanner" ]; then cat > "$TARGET_ROOT/deploy/vm-scanner/.env.vm-scanner" < "$TARGET_ROOT/deploy/vm-scanner/.env.vm-scanner.example" < "$TARGET_ROOT/deploy/vm-scanner/README.md" <<'EOF' # VM Scanner Docker Compose Bundle 1. Open `.env.vm-scanner` and replace `BLACKSHIELD_API_KEY`. If that key was pasted into a terminal transcript, ticket, or chat, revoke it and create a new ingestion key before retesting. 2. Confirm `VM_ALERTS_DIR` points at the host directory that contains `alerts.json`. 3. Start the runtime: ```bash docker compose --env-file .env.vm-scanner up -d ``` 4. Verify the runtime: ```bash curl http://localhost:8080/health curl http://localhost:8080/metrics ``` The runtime uses `VMS_COLLECTOR_MODE=file` and tails `/var/ossec/logs/alerts/alerts.json` incrementally from the mounted host path. Scanner state is persisted in the `vm-scanner-state` Docker volume so container restarts do not reread old alerts. EOF printf 'Wrote deploy/vm-scanner/docker-compose.yml\n' printf 'Wrote deploy/vm-scanner/.env.vm-scanner.example\n' printf 'Wrote deploy/vm-scanner/README.md\n'