Docker Deployment¶
You do not need to read this unless you are running
agent-bomdirectly through Docker (compose, ad hocdocker run, or the SSE/runtime Dockerfiles). For the production rollout path, start with Deployment Overview and follow the paved path it recommends.
Use this page for containerized entrypoints. The product split (one
agentbom/agent-bom runtime image plus the agentbom/agent-bom-ui browser
image) is documented in Deployment Overview;
this page only covers Docker-specific commands and image variants.
Pilot on one workstation:
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000
The UI image does not replace the API image. A self-hosted browser deployment
still needs the API/control-plane service from agentbom/agent-bom.
Recommended vs advanced Docker paths¶
Use these in this order:
| Path | Status | Use when |
|---|---|---|
deploy/docker-compose.pilot.yml |
recommended | fastest one-machine pilot with the shipped images |
deploy/docker-compose.fullstack.yml |
advanced local example | you want a fuller single-machine compose setup and are comfortable editing local compose files |
deploy/docker-compose.platform.yml |
component example | you are focusing on the control-plane/platform layer only |
deploy/docker-compose.runtime.yml |
component example | you are focusing on proxy/runtime behavior only |
If you want the full self-hosted deployment path for your own infrastructure,
use scripts/deploy/install-eks-reference.sh instead of trying to stretch a
Compose file into production.
Quick scan¶
With host config access¶
Mount your MCP client configs for auto-discovery:
docker run --rm \
-v "$HOME/.config:/home/abom/.config:ro" \
-v "$HOME/Library/Application Support:/home/abom/Library/Application Support:ro" \
agentbom/agent-bom:latest agents
Self-hosted SSE server¶
docker build -f deploy/docker/Dockerfile.sse -t agent-bom-sse .
docker run -p 8080:8080 agent-bom-sse
Proxies and custom CA bundles¶
All maintained agent-bom images accept the standard proxy variables:
HTTP_PROXYHTTPS_PROXYNO_PROXY
They also support mounted enterprise CA bundles through:
SSL_CERT_FILEREQUESTS_CA_BUNDLECURL_CA_BUNDLEPIP_CERT
Example:
docker run --rm \
-e HTTPS_PROXY=http://proxy.internal:8080 \
-e NO_PROXY=localhost,127.0.0.1 \
-e SSL_CERT_FILE=/certs/internal-ca.pem \
-e REQUESTS_CA_BUNDLE=/certs/internal-ca.pem \
-v ./internal-ca.pem:/certs/internal-ca.pem:ro \
agentbom/agent-bom:latest --version
Runtime proxy against a remote MCP endpoint¶
docker pull agentbom/agent-bom:0.88.6
docker run --rm -i \
-v ./audit-logs:/var/log/agent-bom \
agentbom/agent-bom:0.88.6 \
proxy \
--log /var/log/agent-bom/audit.jsonl \
--block-undeclared \
--url http://host.docker.internal:3000
For stdio MCP wrapping, prefer the repo's runtime compose example or run
agent-bom proxy on the host where the target MCP command and its runtime
(node, uvx, python, etc.) are installed.
Images¶
| Image | Purpose |
|---|---|
agentbom/agent-bom:latest |
Main runtime image: CLI, API, scanner jobs, gateway, MCP server |
agentbom/agent-bom-ui |
Standalone browser UI image for split control-plane deploys |
deploy/docker/Dockerfile.sse |
SSE MCP server |
deploy/docker/Dockerfile.runtime |
Local rebuild recipe for the runtime proxy path shipped in agentbom/agent-bom |
deploy/docker/Dockerfile.snowpark |
Snowflake Native App |