Skip to main content


Threat Bus ships as pre-built Docker image. It can be used without any modifications to the host system. The Threat Bus executable is used as the entry-point of the container. You can transparently pass all command line options of Threat Bus to the container.

docker pull tenzir/threatbus:latest
docker run tenzir/threatbus:latest --help

The pre-built image comes with all required dependencies and all existing plugins pre-installed.

Configuration Inside the Container#

Threat Bus requires a config file to operate. That file has to be made available inside the container, for example via mounting it.

The working directory inside the container is /opt/tenzir/threatbus. To mount a local file named my-custom-config.yaml from the current directory into the container, use the --volume (-v) flag.

docker run -v $PWD/my-custom-config.yaml:/opt/tenzir/threatbus/my-custom-config.yaml tenzir/threatbus:latest -c my-custom-config.yaml

See the configuration section to get started with a custom config file or refer to the detailed plugin documentation for fine tuning.

Port Bindings#

Depending on the installed plugins, Threat Bus binds ports to the host system. The used ports are defined in your configuration file. When running Threat Bus inside a container, the container needs to bind those ports to the host system. Use the --port (-p) flag repeatedly for all ports you need to bind.

docker run -p 47661:47661 -p 12345:12345 -v $PWD/config.yaml:/opt/tenzir/threatbus/config.yaml tenzir/threatbus:latest -c config.yaml