Docker & Agent Detection
wl-discover collects container security metadata and detects AI agent frameworks running inside Docker containers.
Container Security Metadata
For every Docker container, wl-discover collects: privileged mode, capabilities (add/drop), user/UID, read-only rootfs, volumes/bind mounts, network mode, PID mode, image digest, and lifecycle timestamps. This data is displayed in a Container Security card on the Server Detail page in the Registry Dashboard.
Risk Signals
Six risk signals are evaluated automatically:
| Risk Signal | Trigger |
|---|---|
docker_privileged_container | Container runs in privileged mode |
docker_host_network | Container uses host network namespace |
docker_runs_as_root | Container runs as UID 0 |
docker_writable_rootfs | Root filesystem is not read-only |
docker_dangerous_caps | Container has dangerous Linux capabilities |
docker_sensitive_host_mount | Sensitive host paths are bind-mounted |
Multi-Tier Agent Detection
Agent framework detection uses a configurable 4-tier model:
| Tier | Method | Default | Overhead |
|---|---|---|---|
| 1 | Static metadata — image name (30%), command (40%), env vars (20%), naming (10%) | Always on | None |
| 2 | Process inspection — docker top to check running processes | Enabled | Low |
| 3 | Package inspection — docker exec pip list to check installed packages | Disabled | Medium |
| 4 | Generic AI detection — detects containers with LLM API credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) | Enabled | Low |
Supported frameworks: LangGraph, CrewAI, AutoGen, LangChain.
Config Presets
Three enterprise presets are pre-seeded in the registry:
| Preset | Description |
|---|---|
| Enterprise Standard (default) | Process inspection on, package inspection off, threshold 0.50 |
| High Security | Full port scan, all inspection tiers enabled, threshold 0.30 |
| Lightweight / Development | No deep inspection, threshold 0.65 |
Manage presets at Settings > Config Presets in the Registry Dashboard. The Docker & Agent Detection section provides toggles for process inspection, package inspection, generic AI detection, auto-registration, and threshold/rate-limit controls.
Host Identity
When wl-discover runs inside a Docker container, it reports the container's hostname and internal IP by default. To report the real host identity:
WL_DISCOVER_HOSTNAME=prod-host-01
WL_DISCOVER_HOST_IP=10.0.1.42
These are set automatically by bootstrap.sh.