Deploy a BYOC Agent

This guide walks you through deploying a Slim.io scanning agent inside your own cloud infrastructure.

Time required: 15–30 minutes

Prerequisites:

Enterprise tier Slim.io subscription with BYOC module enabled
Container runtime in your target environment (Docker, Kubernetes, or serverless)
An active connector configured in Slim.io
A Slim.io API key with scan permissions

Step 1: Generate an API Key

Navigate to Settings > API Keys in the Customer Dashboard.
Click Create Key.
Name: byoc-scanner-agent.
Role: Editor (required for reporting findings).
Copy the generated key (format: sk_live_...).

Step 2: Choose a Deployment Type

Option A: Docker Compose

Create a docker-compose.yml:


services:
  slim-scanner:
    image: slimio/scanner:1.0.0-full  # Use your profile: full, database, cloud-storage, saas
    env_file: .env
    volumes:
      - scanner-wal:/var/lib/slim-wal
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: '2'

Start the agent:


docker-compose up -d

Option B: Kubernetes (Helm)


helm repo add slim-io https://charts.slim.io
helm repo update
 
helm install slim-scanner slim-io/scanner-agent \
  --set apiKey="sk_live_your_key_here" \
  --set connectorId="conn-your-connector-id" \
  --set scanMode="continuous" \
  --set pollInterval=60 \
  --set replicas=3 \
  --set resources.limits.memory=4Gi \
  --set resources.limits.cpu=4

Option C: AWS Lambda

Download the SAM template from the Slim.io dashboard under Settings > BYOC.
Deploy using the AWS SAM CLI:


sam deploy \
  --template-file slim-scanner-lambda.yaml \
  --stack-name slim-io-scanner \
  --parameter-overrides \
    SlimApiKey=sk_live_your_key_here \
    ConnectorId=conn-your-connector-id \
  --capabilities CAPABILITY_IAM

Configure S3 event notifications to trigger the Lambda.

The Lambda deployment is best suited for event-driven scanning of individual files. For batch scanning of existing data, use Docker or Kubernetes deployments.

Step 3: Verify the Agent

After deployment, verify the agent is running:

Check Logs: View container or function logs for startup messages.


# Docker
docker-compose logs -f slim-scanner
 
# Kubernetes
kubectl logs -f deployment/slim-scanner

Look for: Agent registered with control plane. Heartbeat interval: 30s

Check Dashboard: Navigate to the connector in the Customer Dashboard.
- A Heartbeat indicator shows the agent’s last check-in time.
- The agent version is displayed next to the connector status.
Test Scan: Trigger a scan from the dashboard or wait for the next poll interval.
- Findings should appear in the Data Catalog within minutes.

Step 4: Configure Cloud Credentials

The BYOC agent needs read access to your cloud storage. Configure credentials based on your cloud provider:

AWS

Attach an IAM role to the container/function with s3:GetObject and s3:ListBucket permissions.
The agent uses the standard AWS SDK credential chain.

GCP

Attach a service account with storage.objectViewer role.
For GKE, use Workload Identity. For other environments, mount a service account key file.

Azure

Set environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
The agent uses the Azure SDK default credential chain.

Monitoring

The BYOC agent reports the following metrics to the Slim.io control plane:

Heartbeat — Agent is alive and connected
Scan Progress — Files processed, findings count, errors
Resource Usage — CPU and memory utilization
Version — Agent container image version

These metrics are visible in the Customer Dashboard under the connector’s detail page.

Updating the Agent

To update to a new version:


# Docker
docker-compose pull && docker-compose up -d
 
# Kubernetes
helm upgrade slim-scanner slim-io/scanner-agent --set image.tag=v2.5.0

Next Steps

BYOC architecture details
Manage scan quotas — Configure limits for the BYOC agent