Docker & Podman reference

Container-runtime operations for the DAST scanner: worker mode, volume mounts, networking, and environment variables. Examples use docker, but every command works with podman — see Podman below for the small differences.

For your first scan, see Scan from the CLI — this page assumes you already have the image pulled and have logged in.

Image

docker pull levoai/levoai-shadownet:stable

--shm-size=1g is required on every scan invocation — headless Chromium crashes without it.
Default command is worker, so docker run … levoai/levoai-shadownet:stable with no command starts worker mode.

Worker mode

A long-lived container that picks up scan jobs scheduled or triggered from the Levo dashboard. Use this when you want scans initiated from the UI (or on a schedule) rather than the CLI.

Basic worker

docker run -d \
  --name levoai-shadownet-worker \
  --shm-size=1g \
  -e LEVOAI_AUTH_KEY=<your-auth-key> \
  -e LEVOAI_ORG_ID=<your-org-id> \
  -e LEVOAI_BASE_URL=https://api.levo.ai \
  -v $(pwd)/reports:/app/reports \
  --restart unless-stopped \
  levoai/levoai-shadownet:stable

Scheduled-only worker

Runs exclusively the scans marked "Scheduled" in the dashboard:

docker run -d \
  --name levoai-shadownet-scheduled \
  --shm-size=1g \
  -e LEVOAI_AUTH_KEY=<your-auth-key> \
  -e LEVOAI_ORG_ID=<your-org-id> \
  -e LEVOAI_BASE_URL=https://api.levo.ai \
  --restart unless-stopped \
  levoai/levoai-shadownet:stable \
  worker --key <your-auth-key> --organization <your-org-id> --scheduled

Environment variables

Pass these with -e on every docker run (or export them and use the bare -e VAR form). Full list in Configuration → Environment variables.

Variable	Purpose
`LEVOAI_AUTH_KEY`	Auth key (refresh token) from Settings → API Keys.
`LEVOAI_ORG_ID`	Organization ID.
`LEVOAI_BASE_URL`	Levo API endpoint. Defaults to `https://api.levo.ai`.
`LEVOAI_ENV_ID`	Environment ID — required when `--send-issues` is set.
`ANTHROPIC_API_KEY` / `OPENAI_API_KEY`	LLM key for AI-guided crawling.
`HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY`	Outbound proxy.

Env vars and CLI flags are interchangeable for Levo platform values (e.g. LEVOAI_ENV_ID ≡ --env-id); flags win when both are set.

Volume mounts

Mount Path	Purpose
`/home/levo/.config/configstore`	Persists `login` session across container runs.
`/app/reports`	Scan output directory (JSON, SARIF).
`/work/levo-dast.yml`	Mount a `levo-dast.yml` for config-driven scans.

Networking

Host network (Linux only)

docker run --rm -it --shm-size=1g --network host \
  levoai/levoai-shadownet:stable \
  scan https://internal.example.com

Shared Docker network

docker network create mynet
docker run --rm -d --network mynet --name myapp your-app:latest

docker run --rm -it --shm-size=1g --network mynet \
  levoai/levoai-shadownet:stable \
  scan http://myapp:8080

AI-guided crawling

Pass an LLM key to enable AI crawl mode:

docker run --rm -it --shm-size=1g \
  -e ANTHROPIC_API_KEY=<key> \
  levoai/levoai-shadownet:stable \
  scan https://example.com --crawl-mode ai

Supported providers: ANTHROPIC_API_KEY, OPENAI_API_KEY. See LLM provider precedence if both are set.

Podman

Podman is a drop-in alternative to Docker — the CLI is compatible, so every example on this page works after substituting podman for docker. The differences below come from running rootless and from SELinux-enforcing hosts (RHEL, CentOS Stream, Fedora).

Pull and run

# Use the fully-qualified image to skip Podman's short-name resolution prompt.
podman pull docker.io/levoai/levoai-shadownet:stable

podman run --rm -it --shm-size=1g \
  levoai/levoai-shadownet:stable \
  scan https://example.com

Volume mounts (rootless)

Rootless Podman maps your host UID to a different UID inside the container. The levo user inside the image (UID 1000) needs to own mounted directories like ~/.config/configstore, or the container will fail to write its session file. Append :U to the mount and Podman chowns the volume to the in-container user automatically:

podman run --rm -it \
  -v $HOME/.config/configstore:/home/levo/.config/configstore:U \
  levoai/levoai-shadownet:stable \
  login -k <your-auth-key> -o <your-org-id>

SELinux relabeling

If your host enforces SELinux and you see permission denied on bind mounts, add :Z (private label) so Podman relabels the directory for the container. Combine flags with a comma:

podman run --rm -it --shm-size=1g \
  -v $HOME/.config/configstore:/home/levo/.config/configstore:U,Z \
  -v $(pwd)/reports:/app/reports:Z \
  levoai/levoai-shadownet:stable \
  scan https://example.com --send-issues --env-id <your-env-id>

Worker mode under systemd

Generate a user-level systemd unit so the worker survives logout:

podman run -d \
  --name levoai-shadownet-worker \
  --shm-size=1g \
  -e LEVOAI_AUTH_KEY=<your-auth-key> \
  -e LEVOAI_ORG_ID=<your-org-id> \
  -e LEVOAI_BASE_URL=https://api.levo.ai \
  -v $(pwd)/reports:/app/reports:U,Z \
  --restart unless-stopped \
  levoai/levoai-shadownet:stable

podman generate systemd --new --name levoai-shadownet-worker \
  > ~/.config/systemd/user/levoai-shadownet-worker.service
systemctl --user enable --now levoai-shadownet-worker.service
loginctl enable-linger "$USER"   # keep the unit running after logout

Scan from the CLI — first-scan walkthrough.
CLI reference — every flag.
Configuration — environment variables and advanced settings.
Kubernetes worker — run worker mode in a cluster.

Was this page helpful?

Image​

Worker mode​

Basic worker​

Scheduled-only worker​

Environment variables​

Volume mounts​

Networking​

Host network (Linux only)​

Shared Docker network​

AI-guided crawling​

Podman​

Pull and run​

Volume mounts (rootless)​

SELinux relabeling​

Worker mode under systemd​

Next​