Docker Deployment

NAT is available as a Docker image. Use Docker to run scans in isolated environments, integrate with Docker Compose, or deploy the self-hosted NAT server.

Quick start

# Run a single scan
docker run --rm natengine/nat:latest \
  nat scan --url https://api.example.com

Running scans with Docker

docker run --rm natengine/nat:latest \
  nat scan --url https://api.example.com \
    --auth-type bearer \
    --token "$TOKEN"

Docker Compose — scan mode

Use Docker Compose to manage environment variables and volume mounts cleanly:

# docker-compose.yml
version: '3.8'
services:
  nat-scan:
    image: natengine/nat:latest
    volumes:
      - ./openapi.yaml:/openapi.yaml:ro
      - ./reports:/reports
    environment:
      - NAT_API_KEY=${NAT_API_KEY}
    command: >
      nat scan
        --url ${API_URL}
        --spec /openapi.yaml
        --auth-type bearer
        --token ${API_TOKEN}
        --output /reports/latest.html
        --fail-on high

API_URL=https://staging.example.com API_TOKEN=$TOKEN docker compose run nat-scan

Self-hosted server with Docker

Run the NAT server as a persistent container exposing the dashboard and REST API:

# docker-compose.yml
version: '3.8'
services:
  nat-server:
    image: natengine/nat:latest
    command: nat server start --host 0.0.0.0 --port 8080
    ports:
      - "8080:8080"
    volumes:
      - nat-data:/data
    environment:
      - NAT_DATA_DIR=/data
      - NAT_SECRET_KEY=${NAT_SECRET_KEY}
      - NAT_LOG_LEVEL=info
    restart: unless-stopped
 
volumes:
  nat-data:

docker compose up -d nat-server

Dashboard available at http://localhost:8080.

Environment variables reference

Variable	Description	Default
`NAT_API_KEY`	API key for SaaS authentication	—
`NAT_DATA_DIR`	Data directory for server mode	`/root/.nat/data`
`NAT_SECRET_KEY`	Secret for session signing	Auto-generated
`NAT_PORT`	Server listen port	`8080`
`NAT_HOST`	Server bind address	`127.0.0.1`
`NAT_LOG_LEVEL`	Log level (`debug`, `info`, `warn`, `error`)	`info`

Docker image tags

Tag	Description
`latest`	Latest stable release
`1.x.x`	Specific version pin
`edge`	Latest development build (not for production)

⚠️

Pin to a specific version tag in production environments to avoid unexpected behavior from automatic updates. Example: natengine/nat:1.2.0

Health check

The NAT server exposes a health endpoint:

curl http://localhost:8080/health
# {"status":"ok","version":"1.x.x"}

Add a health check to your Docker Compose service:

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
  interval: 30s
  timeout: 10s
  retries: 3
  start_period: 10s

Production hardening

For production Docker deployments:

Run as non-root — the natengine/nat image runs as user nat (UID 1000) by default
Read-only root filesystem — mount only required volumes as writable
Pin image versions — use specific version tags, not latest
Set resource limits — cap CPU and memory to prevent resource exhaustion
Use secrets management — pass NAT_SECRET_KEY and NAT_API_KEY via Docker secrets or a secrets manager

services:
  nat-server:
    image: natengine/nat:1.2.0
    read_only: true
    tmpfs:
      - /tmp
    volumes:
      - nat-data:/data
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 2G
    secrets:
      - nat_secret_key
 
secrets:
  nat_secret_key:
    external: true

Troubleshooting

See Docker Issues troubleshooting for common Docker deployment problems.

Next steps

Deploy with Docker (how-to) — step-by-step production deployment
Self-Hosted Setup — complete self-hosted guide including pip install
Docker Issues — troubleshoot Docker deployment problems

CI/CD Integration Self-Hosted Setup