Skip to main content

🐳 Docker Installation

Run Code Scalpel in a Docker container for CI/CD pipelines or isolated analysis.

Why Docker?

Running Code Scalpel in Docker is ideal for:

  • CI/CD pipelines — Consistent environment across builds
  • Isolated analysis — No impact on host system
  • Team standardization — Same tools for everyone
  • Security scanning — Sandboxed vulnerability analysis

Quick Start

# Pull the latest image
docker pull ghcr.io/your-org/code-scalpel:latest

# Run analysis on current directory
docker run -v $(pwd):/workspace ghcr.io/your-org/code-scalpel:latest \
  analyze_code --file /workspace/src/main.py

Docker Images

Image Tag Description
ghcr.io/your-org/code-scalpel latest Latest stable release
ghcr.io/your-org/code-scalpel 1.3.0 Specific version
ghcr.io/your-org/code-scalpel slim Minimal image (smaller)

Usage Patterns

One-Off Analysis

Analyze a single file:

docker run -v $(pwd):/workspace ghcr.io/your-org/code-scalpel:latest \
  analyze_code --file /workspace/src/main.py

Security Scanning

Scan for vulnerabilities:

docker run -v $(pwd):/workspace ghcr.io/your-org/code-scalpel:latest \
  security_scan --file /workspace/src/auth.py

Project-Wide Analysis

Analyze entire project:

docker run -v $(pwd):/workspace ghcr.io/your-org/code-scalpel:latest \
  get_project_map --project-root /workspace

Interactive Mode

Start an interactive session:

docker run -it -v $(pwd):/workspace ghcr.io/your-org/code-scalpel:latest /bin/bash

MCP Server Mode

To run Code Scalpel as an MCP server in Docker (for connecting to AI assistants):

Using Docker Compose

version: '3.8'

services:
  code-scalpel:
    image: ghcr.io/your-org/code-scalpel:latest
    volumes:
      - ./:/workspace:ro
      - ./config:/config:ro
    environment:
      - CODE_SCALPEL_LICENSE_PATH=/config/license.jwt
    ports:
      - "8080:8080"
    command: ["--server", "--host", "0.0.0.0", "--port", "8080"]
docker-compose up -d

Claude Desktop with Docker

Configure Claude to connect to the Docker container:

{
  "mcpServers": {
    "code-scalpel": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-v", "/path/to/project:/workspace",
        "ghcr.io/your-org/code-scalpel:latest"
      ]
    }
  }
}

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Code Scalpel Security Scan
        run: |
          docker run -v ${{ github.workspace }}:/workspace \
            ghcr.io/your-org/code-scalpel:latest \
            security_scan --project-root /workspace --output json \
            > security-report.json
      
      - name: Upload Security Report
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: security-report.json

GitLab CI

security-scan:
  image: ghcr.io/your-org/code-scalpel:latest
  stage: test
  script:
    - security_scan --project-root /builds/$CI_PROJECT_PATH --output json > report.json
  artifacts:
    reports:
      security: report.json

Jenkins

pipeline {
    agent any
    
    stages {
        stage('Security Scan') {
            steps {
                script {
                    docker.image('ghcr.io/your-org/code-scalpel:latest').inside('-v ${WORKSPACE}:/workspace') {
                        sh 'security_scan --project-root /workspace --output json > security-report.json'
                    }
                }
            }
        }
    }
    
    post {
        always {
            archiveArtifacts artifacts: 'security-report.json'
        }
    }
}

Configuration

Volume Mounts

Mount Point Purpose Mode
/workspace Your code to analyze ro (read-only recommended)
/config Configuration files ro
/output Analysis results rw

Environment Variables

Variable Description Default
CODE_SCALPEL_LICENSE_PATH Path to license file None
CODE_SCALPEL_CONFIG_PATH Custom config directory /config
CODE_SCALPEL_OUTPUT_FORMAT Output format (json/text) text

Custom Configuration

Mount your .code-scalpel directory:

docker run \
  -v $(pwd):/workspace:ro \
  -v $(pwd)/.code-scalpel:/config:ro \
  -e CODE_SCALPEL_CONFIG_PATH=/config \
  ghcr.io/your-org/code-scalpel:latest \
  analyze_code --file /workspace/src/main.py

Building Custom Images

Extend the Base Image

FROM ghcr.io/your-org/code-scalpel:latest

# Add custom tools
RUN pip install additional-package

# Add custom configuration
COPY .code-scalpel /config

# Set defaults
ENV CODE_SCALPEL_CONFIG_PATH=/config
docker build -t my-code-scalpel .

Multi-Stage Build for Slim Image

FROM python:3.11-slim as builder

WORKDIR /app
RUN pip install codescalpel

FROM python:3.11-slim
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin/codescalpel /usr/local/bin/

WORKDIR /workspace
ENTRYPOINT ["codescalpel"]

Troubleshooting

Permission denied when accessing files

1. Ensure the Docker user can read your files:

docker run -v $(pwd):/workspace --user $(id -u):$(id -g) ...

2. Or mount as read-only to ensure safety:

docker run -v $(pwd):/workspace:ro ...
Container can't find files
  1. Use absolute paths inside the container (/workspace/...)
  2. Verify the mount is correct: 
    docker run -v $(pwd):/workspace ... ls -la /workspace
Out of memory errors
  1. Increase Docker memory limit: 
    docker run -m 4g ...
  2. Or analyze smaller portions of the codebase
Slow performance in CI
  1. Use the slim image tag for faster pulls
  2. Cache the Docker image in your CI: 
    - uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v5
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Security Considerations

⚠️ Read-Only Mounts

Always mount your source code as read-only (:ro) in production to prevent accidental modifications.

💡 Rootless Docker

For enhanced security, run Code Scalpel in rootless Docker mode:

docker run --user 1000:1000 -v $(pwd):/workspace:ro ...

Next Steps

🚀 What's Next