Self-Hosting
Deploy the sus backend on your own infrastructure
Overview
Most users should use the hosted API at api.sus-pm.com. Self-hosting is for:
- Enterprise deployments with strict data residency requirements
- Air-gapped environments without external network access
- Custom integrations that need direct database access
Self-hosting requires managing PostgreSQL, Redis, and multiple services. Consider the hosted API first.
Architecture
The sus backend consists of 4 services:
| Service | Description |
|---|---|
| API Server | HTTP API for package lookups and scan requests |
| Worker | Processes scan jobs from the Redis queue |
| Watcher | Monitors npm registry for new packages and updates |
| CVE Enricher | Fetches CVE data from OSV, NVD, and GitHub Advisory |
Quick Start with Docker Compose
The fastest way to self-host is with Docker Compose:
git clone https://github.com/superagent-ai/sus
cd sus
cp .env.example .envEdit .env with your API keys (at minimum, ANTHROPIC_API_KEY):
ANTHROPIC_API_KEY=sk-ant-xxxxxStart all services:
docker-compose up -dThis starts PostgreSQL, Redis, and all 4 services. The API will be available at http://localhost:3000.
Environment Variables
| Variable | Required | Service | Description |
|---|---|---|---|
DATABASE_URL | Yes | API, Worker, CVE | PostgreSQL connection string |
REDIS_URL | Yes | API, Worker, Watcher | Redis connection string |
PORT | No | API | Server port (default: 3000) |
ANTHROPIC_API_KEY | Yes | Worker | For agentic threat detection |
NVD_API_KEY | No | CVE | NVD API key (reduces rate limits) |
GITHUB_TOKEN | No | CVE | GitHub token for Advisory API |
Optional Configuration
| Variable | Default | Description |
|---|---|---|
RUST_LOG | info | Logging level (debug, info, warn, error) |
POLL_INTERVAL_SECS | 60 | npm registry polling interval |
CHANGES_LIMIT | 100 | Max changes per poll |
CVE_POLL_INTERVAL_MINS | 15 | CVE enrichment cycle interval |
Configure CLI
Point the sus CLI to your self-hosted API:
export SUS_API_URL=https://your-api.example.comOr per-command:
sus add express --api-url https://your-api.example.comAdd export SUS_API_URL=... to your shell profile for persistence.
Building from Source
Build individual Docker images:
docker build -f Dockerfile.api -t sus-api .
docker build -f Dockerfile.worker -t sus-worker .
docker build -f Dockerfile.watcher -t sus-watcher .
docker build -f Dockerfile.cve -t sus-cve .Or run directly with Cargo:
# Start PostgreSQL and Redis first
docker-compose up -d db redis
# Run services
cargo run --package sus-api
cargo run --package sus-worker
cargo run --package sus-watcher
cargo run --package sus-cveScaling
The Docker Compose setup includes:
- 2 worker replicas by default (configurable)
- Single watcher (one instance monitors the registry)
- Single CVE enricher (one instance fetches CVE data)
- API server can be scaled behind a load balancer
For production, consider:
- Running PostgreSQL and Redis as managed services
- Using container orchestration (Kubernetes, ECS)
- Adding a reverse proxy with TLS termination
Next Steps
- Endpoints - Available API endpoints
On this page