{"id":34601484,"url":"https://github.com/fortify/fcli-docker","last_synced_at":"2026-03-14T02:39:14.541Z","repository":{"id":329149236,"uuid":"1118340707","full_name":"fortify/fcli-docker","owner":"fortify","description":"Generate fcli Docker images","archived":false,"fork":false,"pushed_at":"2025-12-18T14:39:20.000Z","size":44,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-21T04:36:20.736Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fortify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-17T15:57:24.000Z","updated_at":"2025-12-18T14:39:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fortify/fcli-docker","commit_stats":null,"previous_names":["fortify/fcli-docker"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/fortify/fcli-docker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Ffcli-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Ffcli-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Ffcli-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Ffcli-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fortify","download_url":"https://codeload.github.com/fortify/fcli-docker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Ffcli-docker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30486273,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-14T01:54:10.014Z","status":"online","status_checked_at":"2026-03-14T02:00:06.612Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-24T12:50:04.123Z","updated_at":"2026-03-14T02:39:14.535Z","avatar_url":"https://github.com/fortify.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fcli Docker Images\n\nThis directory contains Dockerfiles and build configurations for creating fcli Docker images.\n\n## Available Images\n\n### Published Images (Docker Hub: `fortifydocker/fcli`)\n\n#### 1. **fcli-scratch** (Primary/Recommended)\n- **Base:** `scratch` (minimal, no OS layer)\n- **Size:** ~15-20 MB\n- **Use case:** Single command execution, CI/CD pipelines\n- **Security:** Minimal attack surface, no CVEs from base OS\n- **Shell:** None (direct fcli entrypoint)\n\n```bash\n# Run single command\ndocker run --rm fortifydocker/fcli:latest --version\n\n# With volume mount for data persistence\ndocker run --rm -v $(pwd)/data:/data fortifydocker/fcli:latest tool sc-client install\n```\n\n#### 2. **fcli-ubi9** (Shell-based)\n- **Base:** Red Hat Universal Base Image 9 (standard, not minimal)\n- **Size:** ~200-250 MB\n- **Use case:** Interactive usage, shell scripts, base for custom images requiring additional packages\n- **Security:** Red Hat maintained base, regular security updates\n- **Package Manager:** yum/dnf available for installing additional tools\n- **Shell:** `/bin/bash`\n\n```bash\n# Interactive shell\ndocker run -it --rm fortifydocker/fcli:latest-ubi9 /bin/bash\n\n# Run multiple commands\ndocker run --rm fortifydocker/fcli:latest-ubi9 bash -c \"fcli --version \u0026\u0026 fcli tool list\"\n```\n\n### Test-Only Images (Not Published)\n\n#### 3. **fcli-alpine**\n- Built and tested in CI/CD but not published\n- **Base:** Alpine Linux\n- **Shell:** `/bin/sh`\n- Can be built locally if needed\n\n#### 4. **fcli-windows**\n- Built and tested on Windows runners\n- **Base:** Windows Server Core ltsc2022\n- **Shell:** PowerShell\n- Not published; prototype only\n- Provides full PowerShell and package management capability\n\n## Image Tags\n\n| Tag Pattern | Description | Example |\n|-------------|-------------|---------|\n| `latest` | Latest stable release (scratch) | `fortifydocker/fcli:latest` |\n| `{version}` | Specific version (scratch) | `fortifydocker/fcli:3.14.0` |\n| `{version}-ubi9` | Specific version (UBI9) | `fortifydocker/fcli:3.14.0-ubi9` |\n| `{version}-{date}` | Republished with updated base images | `fortifydocker/fcli:3.14.0-20251216` |\n| `{version}-ubi9-{date}` | UBI9 with updated base images | `fortifydocker/fcli:3.14.0-ubi9-20251216` |\n\n## Building Locally\n\n### Prerequisites\n- Docker 20.10+ or Docker Desktop\n- Docker Buildx (for multi-platform builds)\n\n### Linux Images\n\n```bash\ncd linux\n\n# Build scratch image (default)\ndocker build . \\\n  --build-arg FCLI_VERSION=v3.14.0 \\\n  --target fcli-scratch \\\n  -t fcli:scratch\n\n# Build UBI9 image\ndocker build . \\\n  --build-arg FCLI_VERSION=v3.14.0 \\\n  --target fcli-ubi9 \\\n  -t fcli:ubi9\n\n# Build Alpine image\ndocker build . \\\n  --build-arg FCLI_VERSION=v3.14.0 \\\n  --target fcli-alpine \\\n  -t fcli:alpine\n\n# Build with custom base images\ndocker build . \\\n  --build-arg FCLI_VERSION=v3.14.0 \\\n  --build-arg ALPINE_BASE=alpine:3.23.0 \\\n  --build-arg UBI_BASE=redhat/ubi9:9.7 \\\n  --target fcli-scratch \\\n  -t fcli:scratch\n```\n\n### Windows Images\n\n```powershell\ncd windows\n\ndocker build . `\n  --build-arg FCLI_VERSION=v3.14.0 `\n  --target fcli-ltsc2022 `\n  -t fcli:windows\n```\n\n## Usage Examples\n\n### Basic Command Execution\n\n```bash\n# Check version\ndocker run --rm fortifydocker/fcli:latest --version\n\n# List available tools\ndocker run --rm fortifydocker/fcli:latest tool list\n\n# Get help\ndocker run --rm fortifydocker/fcli:latest --help\n```\n\n### Data Persistence\n\n```bash\n# Create data directory\nmkdir -p ./fcli-data\n\n# Install tools with persistent storage\ndocker run --rm \\\n  -v $(pwd)/fcli-data:/data \\\n  fortifydocker/fcli:latest \\\n  tool sc-client install\n\n# Tools are now available in ./fcli-data/fortify/tools/\nls -la ./fcli-data/fortify/tools/\n```\n\n### CI/CD Integration\n\n#### GitHub Actions\n\n```yaml\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    container:\n      image: fortifydocker/fcli:latest\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v4\n      \n      - name: Run fcli commands\n        run: |\n          fcli --version\n          fcli tool sc-client install\n```\n\n#### GitLab CI\n\n```yaml\nscan:\n  image: fortifydocker/fcli:latest-ubi9\n  script:\n    - fcli --version\n    - fcli tool sc-client install\n```\n\n#### Jenkins Pipeline\n\n```groovy\npipeline {\n    agent {\n        docker {\n            image 'fortifydocker/fcli:latest'\n            args '-v $HOME/.fortify:/data'\n        }\n    }\n    stages {\n        stage('Setup') {\n            steps {\n                sh 'fcli --version'\n                sh 'fcli tool sc-client install'\n            }\n        }\n    }\n}\n```\n\n### Running as Different User\n\n```bash\n# Run as specific UID/GID\ndocker run --rm \\\n  -u $(id -u):$(id -g) \\\n  -v $(pwd)/data:/data \\\n  fortifydocker/fcli:latest \\\n  tool list\n\n# The FCLI_USER_HOME environment variable handles user home directory resolution\n```\n\n### Interactive Shell (UBI9 only)\n\n```bash\n# Start interactive bash session\ndocker run -it --rm \\\n  -v $(pwd)/data:/data \\\n  fortifydocker/fcli:latest-ubi9 \\\n  /bin/bash\n\n# Inside container:\nfcli --version\nfcli tool sc-client install\nfcli tool list\n\n# UBI9 has package manager - install additional tools if needed\nyum install -y jq\nexit\n```\n\n## Architecture \u0026 Security\n\n### Signature Verification\n\nAll Docker builds (Linux and Windows):\n1. Download fcli binary from GitHub releases\n2. Download corresponding `.rsa_sha256` signature file\n3. Verify signature using Fortify's public RSA key\n4. Build fails if signature verification fails\n\n**Implementation details:**\n- **Linux**: Uses OpenSSL in Alpine-based downloader stage\n- **Windows**: Uses .NET 8 SDK image for downloader stage (has modern crypto APIs), then copies verified fcli to Server Core final image\n\nPublic key is embedded in Dockerfiles and matches the key used by `fortify-setup-js`.\n\n### Multi-Stage Build Process\n\n```\n┌─────────────────────────┐\n│  fcli-downloader        │  Alpine-based stage\n│  - Downloads fcli       │  - Installs curl, openssl\n│  - Verifies signature   │  - Validates signature\n│  - Extracts binary      │  - Outputs /tmp/fcli-bin/fcli\n└─────────┬───────────────┘\n          │\n          ├────────────────────────────────┐\n          │                                │\n┌─────────▼─────────┐   ┌────────────▼────────────┐\n│  fcli-scratch     │   │  fcli-ubi9              │\n│  Copies from      │   │  Standard UBI9 (not     │\n│  downloader       │   │  minimal) for package   │\n└───────────────────┘   │  installation support   │\n                        └─────────────────────────┘\n```\n\n### Security Features\n\n- ✅ **Non-root user:** All images run as UID 10001 (user `fcli`)\n- ✅ **Signature verification:** RSA SHA256 verification before build\n- ✅ **Minimal attack surface:** Scratch image has no OS layer\n- ✅ **Pinned base images:** Default base images are pinned to specific versions\n- ✅ **SBOM \u0026 Provenance:** GitHub Actions build includes SBOM and attestation\n- ✅ **No secrets:** No credentials or tokens embedded in images\n\n### OCI Labels\n\nAll images include standard OCI labels:\n- `org.opencontainers.image.source`\n- `org.opencontainers.image.version`\n- `org.opencontainers.image.vendor`\n- `org.opencontainers.image.licenses`\n- `org.opencontainers.image.documentation`\n- `com.fortify.fcli.version` - fcli version included\n- `com.fortify.base.image` - Base image used for build\n\n```bash\n# Inspect labels\ndocker inspect fortifydocker/fcli:latest | jq '.[0].Config.Labels'\n```\n\n## Build Arguments\n\n### Linux Dockerfile\n\n| Argument | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `FCLI_VERSION` | Yes | - | fcli release tag (e.g., `v3.14.0`) |\n| `ALPINE_BASE` | No | `alpine:3.23.0` | Alpine base image for downloader and alpine target |\n| `UBI_BASE` | No | `redhat/ubi9:9.7` | Red Hat UBI9 standard base image (not minimal) |\n\n### Windows Dockerfile\n\n| Argument | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `FCLI_VERSION` | Yes | - | fcli release tag (e.g., `v3.14.0`) |\n| `SERVERCORE_BASE` | No | `mcr.microsoft.com/windows/servercore:ltsc2022` | Windows Server Core for VC++ install |\n| `NANOSERVER_BASE` | No | `mcr.microsoft.com/windows/nanoserver:ltsc2022` | Windows Nano Server for final image |\n\n## CI/CD Workflow\n\nThe `.github/workflows/docker.yml` workflow provides:\n\n- **Automated builds:** Triggered via workflow_dispatch\n- **Multi-image support:** Builds scratch, UBI9, Alpine (test), and Windows (test)\n- **Signature verification:** Built into Dockerfile\n- **Automated testing:** Tests tool installation in each image\n- **SBOM generation:** Provenance and SBOM attestation\n- **Base image updates:** Support for republishing with updated base images\n- **Selective publishing:** Publishes only scratch and UBI9 to Docker Hub\n\n### Triggering Builds\n\n```bash\n# Via GitHub CLI\ngh workflow run docker.yml \\\n  -f releaseTag=v3.14.0 \\\n  -f doPublish=true \\\n  -f alpineBase=alpine:3.23.0 \\\n  -f ubiBase=redhat/ubi9:9.7\n\n# Update base images for existing release\ngh workflow run docker.yml \\\n  -f releaseTag=v3.14.0 \\\n  -f doPublish=true \\\n  -f updateBaseImages=true \\\n  -f ubiBase=redhat/ubi9:9.7\n```\n\n## Maintenance\n\n### Updating Base Images\n\nBase images should be updated periodically for security patches:\n\n1. **Check for updates:**\n   - Alpine: https://hub.docker.com/_/alpine\n   - Red Hat UBI9: https://catalog.redhat.com/software/containers/ubi9/ubi/615bcf606feffc5384e8452e\n\n2. **Test locally:**\n   ```bash\n   docker build . \\\n     --build-arg FCLI_VERSION=v3.14.0 \\\n     --build-arg ALPINE_BASE=alpine:3.23.0 \\\n     --build-arg UBI_BASE=redhat/ubi9:9.7 \\\n     --target fcli-scratch\n   ```\n\n3. **Update defaults in Dockerfile** or **trigger workflow with custom bases**\n\n4. **Republish existing fcli version** if needed:\n   ```bash\n   gh workflow run docker.yml \\\n     -f releaseTag=v3.14.0 \\\n     -f doPublish=true \\\n     -f updateBaseImages=true \\\n     -f ubiBase=redhat/ubi9:9.7\n   ```\n   This creates tags like `3.14.0-20251216` and `3.14.0-ubi9-20251216`\n\n### Testing Checklist\n\nBefore publishing:\n- [ ] Build completes successfully\n- [ ] Signature verification passes\n- [ ] `fcli --version` works in container\n- [ ] `fcli tool sc-client install` succeeds with volume mount\n- [ ] Installed tools are accessible in mounted volume\n- [ ] Container runs as non-root user\n- [ ] Image size is reasonable\n\n## Troubleshooting\n\n### Signature Verification Fails\n\n```\nERROR: Signature verification failed\n```\n\n**Cause:** Downloaded fcli binary doesn't match signature.\n\n**Solution:**\n- Verify `FCLI_VERSION` matches an existing GitHub release\n- Check network connectivity\n- Verify Fortify public key in Dockerfile is up-to-date\n\n### Permission Denied on Volume Mount\n\n```\nERROR: Permission denied writing to /data\n```\n\n**Cause:** Host directory permissions don't allow container user (UID 10001).\n\n**Solution:**\n```bash\n# Run as your user\ndocker run --rm -u $(id -u):$(id -g) -v $(pwd)/data:/data fortifydocker/fcli:latest tool list\n\n# Or fix host directory permissions\nchmod 777 data\n```\n\n### Windows Image: Missing DLLs\n\n```\nERROR: vcruntime140.dll not found\n```\n\n**Cause:** Required VC++ runtime DLLs not copied correctly.\n\n**Solution:**\n- Rebuild image (DLLs are copied from vcredist-installer stage)\n- Add missing DLLs to COPY list in Dockerfile if fcli requires additional ones\n- Check that VC++ redistributable installed successfully\n\n### fcli Tool Installation Fails\n\n```\nERROR: Cannot write to /data/fortify/tools\n```\n\n**Cause:** Volume mount permissions or path issues.\n\n**Solution:**\n```bash\n# Ensure volume mount is correct\ndocker run --rm -v $(pwd)/data:/data fortifydocker/fcli:latest tool sc-client install\n\n# Check that /data exists and is writable\ndocker run --rm -v $(pwd)/data:/data fortifydocker/fcli:latest-ubi9 ls -la /data\n```\n\n## Contributing\n\nWhen modifying Dockerfiles:\n1. Maintain security best practices (non-root user, signature verification)\n2. Keep images minimal\n3. Test all targets before committing\n4. Update this README with any new features or changes\n5. Pin base images to specific versions\n6. Add appropriate OCI labels\n\n## Resources\n\n- [fcli Documentation](https://github.com/fortify/fcli#readme)\n- [Docker Hub: fortifydocker/fcli](https://hub.docker.com/r/fortifydocker/fcli)\n- [Alpine Docker Images](https://hub.docker.com/_/alpine)\n- [Red Hat UBI Images](https://catalog.redhat.com/software/containers/search?q=ubi9)\n- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)\n- [OCI Image Spec](https://github.com/opencontainers/image-spec/blob/main/annotations.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortify%2Ffcli-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffortify%2Ffcli-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortify%2Ffcli-docker/lists"}