Installation
Deploy the CodeRaft Platform with a single command. The installer sets up Docker containers, databases, and the unified dashboard.
Prerequisites
- Docker 24+ and Docker Compose v2+ installed
- 4 GB RAM minimum (8 GB recommended for all 3 products)
- 10 GB disk for container images and data
- A CodeRaft licence key — free 14-day trial
Quick install
Run from your home directory (or any parent of where you want the platform installed) — the installer creates a ./coderaft/ sub-folder and deploys everything inside it.
curl -fsSL https://install.coderaft.io | bash
After installation, open http://localhost:3000 in your browser. The Setup Wizard will guide you through:
- License activation — enter your licence key to unlock products
- Product deployment — the dashboard deploys containers based on your licence
- Network configuration — choose localhost (dev) or domain with TLS (production)
- Product setup — configure each product (Azure credentials, scan targets, etc.)
What gets deployed
| Container | Purpose | Port |
|---|---|---|
| dashboard | Unified frontend (React SPA + nginx) | 3000 |
| dashboard-api | Orchestration API (licence, deploy, network) | 3001 |
| postgres | PostgreSQL 16 (shared database) | 5432 |
| redis | Redis 7 (cache, queues) | 6379 |
| entraguard-api | EntraGuard backend (FastAPI) | 8000 |
| entraguard-worker | Celery worker (background scans) | — |
| entraguard-beat | Celery beat (scheduled tasks) | — |
| neo4j | Neo4j 5 (attack graph database) | 7687 |
| ravenscan | Ravenscan backend (Go) | 8080 |
| redfox-api | RedFox Bastion API (Go) | 8082 |
Only containers for licensed products are deployed. Infrastructure containers (postgres, redis) are always deployed.
Updating
Run from inside the install directory (typically ~/coderaft/) — the script reads the local docker-compose.yml to know what to update.
cd ~/coderaft && curl -fsSL https://install.coderaft.io/update | bash Local script (equivalent — created at install time, self-updates from GitHub on each run):
Both flows capture a recovery snapshot before pulling new images, then re-create the containers. Your volumes (audit history, scan results, sessions, encrypted secrets vault) are preserved. Set ADMIN_TOKEN for the snapshot to be tied to your admin account; otherwise the deploy auto-snapshot still runs.
Rollback after a failed update
Every deployment automatically captures a recovery snapshot in /data/recovery/snapshots/ (the last 3 are kept). A snapshot records the image IDs of every running container, plus vault metadata and license summary — never any secret values.
If an update breaks something, sign in to the dashboard, copy your admin token from the coderaft_token cookie (browser dev tools), then run from inside the install directory:
cd ~/coderaft && ADMIN_TOKEN=<token> bash <(curl -fsSL https://install.coderaft.io/rollback) Local script (equivalent):
The script lists available snapshots, you pick one, and the dashboard-api re-deploys the previous image IDs. Volumes are untouched, so client data (audits, scans, sessions) is preserved across the rollback.
Encrypted secrets vault
Platform secrets (database passwords, OIDC client secrets, tenant encryption keys, JWT signing keys) are stored at rest in /data/vault.enc, encrypted with AES-256-GCM. The master key lives at /data/.vault-master.key with mode 0600.
- The vault is the source of truth; the host
.envis regenerated from it on each deploy - Missing secrets are auto-generated on first deploy and persist forever
- Operators can rotate any managed secret via
POST /api/dashboard/vault/rotate - The vault is never reachable from the client browser — only the internal dashboard-api can decrypt it
Uninstall
docker compose down -v This stops all containers and removes volumes. Your data will be lost. To keep data, omit -v.