This guide helps diagnose and resolve common issues with the CI/CD Security Platform.
- Quick Diagnostics
- Service Issues
- MCP Server Issues
- CI/CD Agent Issues
- Build Issues
- Network Issues
- Performance Issues
- Data Recovery
# Check container status
docker compose ps
# Expected output: all services should show "running" or "Up"# View recent errors across all services
docker compose logs --tail=50 | Select-String -Pattern "error|ERROR|fatal|FATAL"
# Or use grep on Linux/macOS
docker compose logs --tail=50 2>&1 | grep -i "error\|fatal"# Using CI/CD Agent
cicd-agent status
# Using curl
curl http://localhost:3000/api/healthz # Gitea
curl http://localhost:8085/healthz # Drone
curl http://localhost:9000/api/system/health # SonarQubeSymptoms: Container exits immediately or keeps restarting.
Check logs:
docker compose logs giteaCommon causes:
-
Database connection failed
Error: dial tcp postgres:5432: connection refusedSolution: Ensure PostgreSQL is running first:
docker compose up -d postgres sleep 10 docker compose up -d gitea
-
Permission issues on volumes
Error: permission deniedSolution:
docker compose down docker volume rm ci-co_gitea-data docker compose up -d
-
Port already in use
Error: bind: address already in useSolution:
# Find what's using port 3000 netstat -ano | findstr :3000 # Kill the process or change Gitea's port in docker-compose.yml
Symptoms: Login fails with correct credentials.
Solutions:
-
Reset password via CLI:
docker compose exec gitea gitea admin user change-password --username localadmin --password newpassword
-
Check if user exists:
docker compose exec gitea gitea admin user list
Symptoms: ssh: connect to host localhost port 2222: Connection refused
Check:
# Verify SSH port is exposed
docker compose ps gitea
# Should show 0.0.0.0:2222->22/tcpSolution: Ensure SSH is enabled in Gitea config:
docker compose exec gitea cat /data/gitea/conf/app.ini | Select-String SSHSymptoms: "Failed to authenticate" when clicking Continue.
Check OAuth settings:
- Go to Gitea → Settings → Applications
- Verify OAuth2 application exists for Drone
- Check redirect URL matches
http://localhost:8085/login
Solution: Recreate OAuth app:
# Remove and recreate Drone
docker compose down drone-server drone-runner
docker volume rm ci-co_drone-data
docker compose up -d drone-server drone-runnerSymptoms: Pushed to Gitea but no build triggered.
Checklist:
-
Repository activated in Drone?
- Go to http://localhost:8085
- Find repository and check if "Active"
-
Webhook configured?
- In Gitea repo → Settings → Webhooks
- Should show
http://drone-server:8080/hook
-
.drone.ymlexists?# Check if file exists in repo git ls-files | Select-String drone
-
Check Drone logs:
docker compose logs drone-server | Select-String -Pattern "hook|webhook"
Symptoms: Build shows "failure" within seconds.
Check runner logs:
docker compose logs drone-runnerCommon causes:
-
Docker socket not accessible
Error: Cannot connect to the Docker daemonSolution: Verify Docker socket mount:
docker compose exec drone-runner ls -la /var/run/docker.sock
-
Image pull failed
Error: pull access deniedSolution: Check image name in
.drone.ymlor login to registry.
Symptoms: Container keeps restarting.
Most common cause: Insufficient vm.max_map_count
Solution (Windows with WSL2):
wsl -d docker-desktop
sysctl -w vm.max_map_count=262144
exit
docker compose restart sonarqubeMake permanent:
wsl -d docker-desktop
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
exitSymptoms:
java.lang.OutOfMemoryError: Java heap space
Solution: Increase memory in docker-compose.yml:
sonarqube:
environment:
- SONAR_WEB_JAVAOPTS=-Xmx2g -Xms1g
- SONAR_CE_JAVAOPTS=-Xmx2g -Xms1gSymptoms:
Unable to connect to database
Solution:
# Check if SonarQube database is running
docker compose logs sonarqube-db
# Restart database
docker compose restart sonarqube-db
sleep 30
docker compose restart sonarqubeSymptoms: 502 Bad Gateway or connection refused.
Check:
docker compose logs dependency-track-apiCommon cause: Not enough memory (needs 4GB+ for API server).
Solution:
dependency-track-api:
environment:
- JAVA_OPTIONS=-Xmx4g -Xms2gSymptoms: Can access API but UI shows 404.
Check:
docker compose logs dependency-track-frontendSolution: Ensure frontend is connected to API:
dependency-track-frontend:
environment:
- API_BASE_URL=http://dependency-track-api:8080Symptoms: Scan hangs or times out.
Common cause: First scan downloads vulnerability database.
Solution: Pre-download database:
docker compose exec trivy trivy image --download-db-onlyCheck:
curl http://localhost:4954/healthz
docker compose logs trivySolution:
docker compose restart trivySymptoms:
Error: server gave HTTP response to HTTPS client
Solution: Add insecure registry to Docker Desktop:
- Docker Desktop → Settings → Docker Engine
- Add:
{ "insecure-registries": ["localhost:5000"] } - Apply & Restart
Symptoms: Push fails with "no space left on device"
Solution: Clean up old images:
# List images
curl http://localhost:5000/v2/_catalog
# Delete old tags (requires registry garbage collection)
docker compose exec registry bin/registry garbage-collect /etc/docker/registry/config.ymlSymptoms: Tools not available in Claude Code.
Checklist:
-
Check configuration file:
# Windows cat $env:APPDATA\Claude\claude_desktop_config.json # Or cat "$env:USERPROFILE\.claude\settings.json"
-
Verify path is correct:
- Path should point to
mcp-server/dist/index.js - Ensure forward slashes or escaped backslashes
- Path should point to
-
Check if built:
ls mcp-server/dist/index.js # If not found: cd mcp-server && npm run build
-
Restart Claude Code after configuration changes.
Symptoms: Tool calls fail with errors.
Check environment variables:
# Ensure these are set in Claude config
$env:GITEA_URL
$env:DRONE_TOKEN
$env:DTRACK_API_KEYTest manually:
cd mcp-server
node dist/index.js
# Should output: CI/CD Security MCP Server running on stdioSymptoms:
Error: Invalid API key
Solution:
# Set API key
$env:ANTHROPIC_API_KEY = "sk-ant-api03-..."
# Verify
echo $env:ANTHROPIC_API_KEYSymptoms: All services show "unreachable"
Check:
-
Are Docker containers running?
docker compose ps
-
Can you reach services directly?
curl http://localhost:3000/api/healthz
-
Check
.envfile has correct URLs.
Symptoms in Drone:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock
Solution: Ensure Docker socket is mounted in runner:
drone-runner:
volumes:
- /var/run/docker.sock:/var/run/docker.sockSymptoms:
Error: pull access denied for private-image
Solutions:
-
For private registries:
steps: - name: build image: plugins/docker settings: registry: localhost:5000 insecure: true # For local registry
-
For Docker Hub rate limits: Create Docker Hub credentials in Drone secrets.
Check:
curl http://localhost:5000/v2/_catalogCommon causes:
- Wrong registry URL in
.drone.yml - Missing
insecure: truefor local registry - Build step didn't push
Symptoms: "Connection refused" between services.
Check network:
docker network inspect ci-co_ci-cd-networkVerify containers are on same network:
docker compose exec gitea ping drone-serverSolution: Ensure all services use the same network:
services:
myservice:
networks:
- ci-cd-networkSymptoms: "Connection refused" from host machine.
Check port bindings:
docker compose ps
# Verify ports show as "0.0.0.0:3000->3000/tcp"Common cause: Port bound to wrong interface.
Solution: Use 0.0.0.0 in port mapping:
ports:
- "0.0.0.0:3000:3000"Diagnose:
docker statsSolutions:
-
Increase Docker resources:
- Docker Desktop → Settings → Resources
- Allocate more CPU/Memory
-
Disable unused services:
docker compose stop sonarqube dependency-track-api
-
Use minimal profile:
docker compose -f docker-compose.yml -f docker-compose.minimal.yml up -d
Trivy:
- Pre-download database:
trivy image --download-db-only - Use server mode: Already configured in compose
SonarQube:
- Increase compute engine memory
- Reduce analysis scope in
sonar-project.properties
Symptoms: Service won't start, data errors.
Recovery steps:
-
Stop services:
docker compose down
-
Identify corrupted volume:
docker volume ls
-
Restore from backup:
.\scripts\restore.ps1 -BackupPath "C:\Backups\cicd-latest"
-
If no backup, recreate volume:
docker volume rm ci-co_gitea-data docker compose up -d
Gitea:
docker compose exec gitea gitea admin user change-password --username localadmin --password newpassword123SonarQube:
docker compose exec sonarqube-db psql -U sonar -c "UPDATE users SET crypted_password='$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null WHERE login='admin';"
# Sets password to "admin"
docker compose restart sonarqubeDependency-Track:
# Reset via API or recreate volume
docker volume rm ci-co_dtrack-data
docker compose up -d dependency-track-api# Create diagnostic bundle
$DiagDir = "cicd-diag-$(Get-Date -Format 'yyyyMMddHHmmss')"
New-Item -ItemType Directory -Path $DiagDir
# Collect info
docker compose ps > "$DiagDir\containers.txt"
docker compose logs > "$DiagDir\logs.txt" 2>&1
docker stats --no-stream > "$DiagDir\stats.txt"
docker version > "$DiagDir\docker-version.txt"- GitHub Issues: https://github.com/KennethEhmsen/ci-co/issues
- Check existing issues for similar problems
- Include diagnostic bundle when reporting issues
| Issue | Command |
|---|---|
| View all logs | docker compose logs |
| Restart everything | docker compose restart |
| Fresh start (keeps data) | docker compose down && docker compose up -d |
| Nuclear option | docker compose down -v && docker compose up -d |
| Check resources | docker stats |
| Network issues | docker network inspect ci-co_ci-cd-network |