Skip to main content
Version: VAST v3.1

Docker Compose

We offer a range of Docker Compose files for quickly getting up and running with VAST. All mentioned files are in the docker directory of the VAST repository, and require having the repository checked out locally.

Docker Compose V2 CLI

All examples shown use the Docker Compose V2 CLI. If using docker compose (with a space) does not work for you, try using docker-compose instead. We don't test our scripts explicitly with this older version, so although most commands should work, we recommand upgrading to a recent version of Docker and Compose.

Quick Start with Docker Compose

To get up and running with VAST in Docker Compose, simply run from the docker/compose directory:

export COMPOSE_FILE=vast.yaml
docker compose up

This fetches the latest version of VAST from Docker Hub.

Cached Images and Containers

By default, Docker aggressively caches images and containers. To prevent Docker from re-using an image, pass --pull always (Compose v2.8+) to docker compose up. Similarly, to prevent Docker from re-using an already built container, pass --force-recreate.

The docker compose run command makes interacting with VAST inside Docker Compose easy:

# Run `vast status` in the Docker Compose network.
docker compose run vast status

# Import a Suricata Eve JSON file in the Docker Compose network.
# NOTE: When piping to stdin, passing --no-TTY is required.
docker compose run --no-TTY vast import suricata < path/to/eve.json

# Run a query against VAST.
# NOTE: For commands that check whether input exists on stdin, passing
# --interactive=false is required. This is a bug in Docker Compose.
docker compose run --interactive=false vast export json '#type == "suricata.alert"'

The Docker Compose network by default exposes VAST on port 5158, allowing for users to connect to it from outside, e.g., with a local VAST binary.

Override Files

VAST's integrations with other services are opt-in, i.e., not loaded by default. To opt into loading another service, specify its override file when starting Docker Compose:

# Load both VAST and Zeek, and the import that sits between the two.
# NOTE: The override file for Zeek does not exist yet, but we plan to add it in
# the near future.
docker compose -f docker/compose/vast.yaml \
-f docker/compose/zeek.yaml \
-f docker/compose/zeek.vast-import.yaml \

We currently have the following override files:

docker/compose/vast.yamlThe vast service that starts up a VAST server including REST API.
docker/compose/vast.volume.yamlAdd persistent storage to VAST.
docker/compose/ VAST to be built from source.
docker/compose/quarto.yamlBuild the Quarto image and run Bash inside.
docker/compose/quarto.bind.yamlBind mound the VAST respository.
docker/compose/quarto.vast.yamlApply settings to connect to the VAST service.
docker/compose/thehive.yamlStart TheHive/Cortex with a basic initial setup.
docker/compose/thehive.vast.yamlIntegrate the Analyzer with the VAST service.
docker/compose/ an integration app for Suricata alerts.
docker/compose/misp.yamlStart MISP with a basic initial setup.
docker/compose/misp.proxy.yamlAdd a reverse proxy for dynamic hostnames.