Shielda Agent Deployment Guide
1. Overview 2. Manual Deployment 3. Kubernetes Deployment (Helm) 4. AWS ECS Fargate 5. GCP Cloud Run 6. Azure Container Instances 7. Cloud Marketplace Deployment 8. Agent Configura...
Last Updated: 2026-04-03
---
Table of Contents
Overview Manual Deployment Kubernetes Deployment (Helm) AWS ECS Fargate GCP Cloud Run Azure Container Instances Cloud Marketplace Deployment Agent Configuration Reference Security Considerations Troubleshooting
---
Overview
The Shielda Go Agent is a self-hosted security scanner that runs in your environment. It:
Discovers services (Docker containers, Git repos, K8s workloads, AI assistants) Scans using 21 security tools (run as Docker containers) Triages findings with 6 AI agents (BYOK LLM keys) Uploads results to the Shielda Control Plane via HTTPS
Requirements
Requirement Details Docker Required for running security scanning tools Network Outbound HTTPS to your Shielda Control Plane URL Token Agent token from Dashboard → Agents → Register LLM Key Anthropic or OpenAI API key (optional, for AI features)
Agent Binary
Available via: Docker image: ghcr.io/shielda/agent:latest (or pin a specific version via SHIELDAAGENTVERSION env var) Binary releases: GoReleaser artifacts on GitHub Releases Helm chart: agent/deploy/helm/shielda-agent/
Security note: For production deployments, pin the agent image to a specific version tag or SHA256 digest instead of :latest. Use --cap-drop ALL --security-opt no-new-privileges:true --read-only --tmpfs /tmp for container hardening. See docker-compose.agent.yml for a hardened reference configuration.
---
Manual Deployment
Docker (Simplest)
Important: The default Docker deployment routes daemon access through docker-socket-proxy. Do not mount the Docker daemon socket directly into the agent container except through the documented break-glass installer mode.
Docker Compose
Binary (No Docker)
Download the binary for your platform:
Start agent ./shielda-agent serve \ --token <your-agent-token \ --api-url https://app.shielda.io
CLI Commands
Command Purpose serve Start the agent (heartbeat loop + scan execution) scan Run a one-shot scan and exit init Initialize configuration status Show agent status and connectivity --version Print agent version
---
Kubernetes Deployment (Helm)
Quick Start
Deployment Modes
Deployment (default) — Single replica
DaemonSet — One agent per node
Cloud-Specific Kubernetes Configuration
AWS EKS with IRSA (IAM Roles for Service Accounts)
GKE with Workload Identity
AKS with Pod Identity
Using an Existing Secret
Instead of passing the token in Helm values:
helm install shielda ./shielda-agent \ --set agent.existingSecret=shielda-agent-token \ --set agent.existingSecretKey=token
Helm Values Reference
Value Default Description agent.token "" Agent authentication token agent.apiUrl https://app.shielda.io Control Plane URL agent.anthropicKey "" Anthropic API key for AI features mode deployment deployment or daemonset replicaCount 1 Replicas (deployment mode only) resources.requests.cpu 100m CPU request resources.requests.memory 256Mi Memory request resources.limits.cpu 1000m CPU limit resources.limits.memory 1Gi Memory limit dockerSocket.enabled true Mount Docker socket serviceAccount.create true Create service account
---