Skip to main content

Install the Go agent in a container

Installing the Go agent in a container is essentially the same as the standard installation procedure, except that the installation occurs in a container and, to follow best practices, you should use environment variables to configure the Contrast credentials.

Using environment variables is the most secure method for installing the Go agent in a container. Since containers often migrate through QA and production systems, it's a best practice to avoid hard-coding credentials in the container definition.

Tip

If you would like to explore a sample application using the Go agent in a Dockerfile, see the Go Test Bench project.

Before you begin

  • You should have a basic understanding of how containers and related software work.

  • You may need to adjust the instructions to meet your specific circumstances.

Install, build, and run the Go application

  1. Ensure Go is installed.

  2. Install contrast-go with this command:

    RUN github.com/contrast-security-oss/contrast-go-installer@latest latest

  3. Build the application by replacing your normal go build command with contrast-go build. This step builds an executable with Contrast embedded in it.

    RUN contrast-go build ./app

  4. Configure the agent with environment variables.

Docker example

This example shows how to install, build, and run a Go application in a Docker container.

# Step 1: Install Go. You can use a different base image than the one shown in
# this example.
FROM golang:1.21 AS builder
WORKDIR /build

COPY . .

# Step 2: This step installs contrast-go and makes sure it's in your $PATH so 
# you can use it in the next step.
RUN go run github.com/contrast-security-oss/contrast-go-installer@latest latest

# Step 3: This step is your normal build step, but uses contrast-go instead of
# go. This step doesn't replace Go; it just wraps it so that it can add 
# instrumentation during the build process.
RUN contrast-go build ./app

# Optional: Move the finished build to a new container.
# Not required, but nice to have!
FROM alpine:latest
COPY --from=builder /build/app .

# Step 4: Configure the agent using enviornment variables.

ENTRYPOINT ["./app"]

Example of environment variable configuration

Note

The Export option in the Contrast agent configuration editor is an easy way create the environment variables for the Contrast credentials.

The process to set environment variables when using a cloud provider typically involves using a secrets manager and then linking the values of those secrets to the environment variables.

For example, you could use this command to build your container:

docker build -t my-app-image

And then, use these commands when you run the container:

docker run -p 3000:3000 --name my-app-instance \
-e "CONTRAST__API__URL=your-ts-url" \
-e "CONTRAST__API__API_KEY=your-api-key" \
-e "CONTRAST__API__SERVICE_KEY=your-service-key" \
-e "CONTRAST__API__USER_NAME=your-user-name" \
my-app-image

See also

In this section: