https://github.com/tooark/base-images
Imagens base de ferramentas para Deploy com aws-cli, gcloud, terraform e trivy
https://github.com/tooark/base-images
aws-cli deploy devops devsecops docker gcloud hadolint sonarqube terraform tooark trivy
Last synced: 9 days ago
JSON representation
Imagens base de ferramentas para Deploy com aws-cli, gcloud, terraform e trivy
- Host: GitHub
- URL: https://github.com/tooark/base-images
- Owner: Tooark
- License: mit
- Created: 2025-11-10T03:10:17.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2026-07-02T20:03:49.000Z (11 days ago)
- Last Synced: 2026-07-02T20:25:28.916Z (11 days ago)
- Topics: aws-cli, deploy, devops, devsecops, docker, gcloud, hadolint, sonarqube, terraform, tooark, trivy
- Language: Shell
- Homepage: https://tooark.com/
- Size: 321 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security-scanner/.dockerignore
Awesome Lists containing this project
README
# base-images
Repository of base images for CI/CD and infrastructure automation.
Each subproject has its own Dockerfile, versioning, and documentation.
🌍 **Languages:**  **English (this file)** · [ Português](https://github.com/Tooark/base-images/blob/main/README.pt-BR.md)
---
## Table of contents
- [Overview](#overview)
- [Image documentation](#image-documentation)
- [Ready-made examples](#ready-made-examples)
- [Repository structure](#repository-structure)
- [Versioning and automation](#versioning-and-automation)
- [Recommended workflow](#recommended-workflow)
- [License](#license)
---
## Overview
This repository centralizes Docker images used in pipelines and infrastructure automation.
Each image keeps:
- a Dockerfile with a reproducible build
- a VERSION file for release control
- a DESCRIPTION with a functional summary
- a README with the image contents, quick start, pipeline examples, and local build
All images share the same base (`debian:13-slim`), run as the non-root user (`app`), and use the same `docker-entrypoint.sh`, which adjusts the `docker.sock` GID and drops privileges via `gosu` at runtime.
---
## Image documentation
| Subproject | What it contains | Documentation |
| ---------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| `aws-cli` | AWS CLI v2 + kubectl + Docker CLI + Buildx | [aws-cli/README.md](aws-cli/README.md) |
| `dockerx` | Docker CLI + Buildx plugin for multi-architecture builds | [dockerx/README.md](dockerx/README.md) |
| `gcloud-cli` | Google Cloud SDK (`gcloud`, `gsutil`, `bq`) + kubectl + Docker CLI + Buildx | [gcloud-cli/README.md](gcloud-cli/README.md) |
| `tofu` | OpenTofu CLI | [tofu/README.md](tofu/README.md) |
| `tofu-aws` | OpenTofu + AWS CLI v2 + kubectl | [tofu-aws/README.md](tofu-aws/README.md) |
| `tofu-gcloud` | OpenTofu + Google Cloud SDK + kubectl | [tofu-gcloud/README.md](tofu-gcloud/README.md) |
| `tofu-aws-gcloud` | OpenTofu + AWS CLI v2 + Google Cloud SDK + kubectl | [tofu-aws-gcloud/README.md](tofu-aws-gcloud/README.md) |
| `security-scanner` | Trivy + Hadolint + BetterLeaks + `ark-tools` wrapper for scans and reports | [security-scanner/README.md](security-scanner/README.md) |
| `sonar-scanner` | Sonar Scanner CLI for analysis in CI/CD pipelines | [sonar-scanner/README.md](sonar-scanner/README.md) |
| `terraform` | Terraform CLI (deprecated) | [terraform/README.md](terraform/README.md) |
| `terraform-aws` | Terraform + AWS CLI v2 + kubectl (deprecated) | [terraform-aws/README.md](terraform-aws/README.md) |
| `terraform-gcloud` | Terraform + Google Cloud SDK + kubectl (deprecated) | [terraform-gcloud/README.md](terraform-gcloud/README.md) |
| `terraform-aws-gcloud` | Terraform + AWS CLI v2 + Google Cloud SDK + kubectl (deprecated) | [terraform-aws-gcloud/README.md](terraform-aws-gcloud/README.md) |
| `trivy-hadolint` | Trivy + Hadolint + `ark-tools` wrapper for scans and reports | [trivy-hadolint/README.md](trivy-hadolint/README.md) |
---
## Ready-made examples
Use these files as a starting point for local validation and pipelines:
- Guide with local examples and usage instructions: [samples/README.md](samples/README.md)
- Build/publish pipeline for GitHub Actions: [samples/github-actions-images.yml](samples/github-actions-images.yml)
- Build/publish pipeline for GitLab CI: [samples/gitlab-ci-images.yml](samples/gitlab-ci-images.yml)
Dedicated examples for security-scanner:
- Full local run: [samples/security-scanner-local.sh](samples/security-scanner-local.sh)
- Full GitHub Actions pipeline: [samples/security-scanner-github-actions.yml](samples/security-scanner-github-actions.yml)
- Full GitLab CI pipeline: [samples/security-scanner-gitlab-ci.yml](samples/security-scanner-gitlab-ci.yml)
---
## Repository structure
- Each subproject folder contains:
- `Dockerfile`: image definition
- `VERSION`: subproject version
- `DESCRIPTION`: short image summary
- `README.md`: usage, variables, and examples
- `.trivyignore`: accepted CVE exceptions for the image security scan
---
## Versioning and automation
The [versions.env](versions.env) file centralizes the versions of all tools and images.
The `script/` folder contains the automation scripts:
| Script | Purpose |
| --------------------------------- | ----------------------------------------------------------- |
| `fetch-latest-stable-versions.py` | Fetches the latest stable versions of each tool |
| `update-versions.py` | Updates `versions.env` and manages the `.trivyignore` files |
### Automatic .trivyignore management
When the `update-versions.py` script detects a new tool version, it:
1. **Clears and reinitializes** the `.trivyignore` of **all images impacted** by the changed version.
2. **Does not rebuild or automatically inherit** exceptions across images.
3. Recreates the file with a standard header and an automatic review date, so the maintainer can manually add only the CVEs accepted for that version.
> Example: if `GCLOUD_VERSION` changes, the script clears and recreates the `.trivyignore` of `gcloud-cli/`, `tofu-gcloud/`, `terraform-gcloud/`, and `terraform-aws-gcloud/`. None of these files receive CVEs automatically.
---
## Recommended workflow
1. Choose the image from the catalog in [Image documentation](#image-documentation).
2. Follow the quick start and the variables in the chosen image's README.
3. Use the examples in [samples/README.md](samples/README.md) and the dedicated security-scanner files for initial integration.
4. For releases and version updates, use the scripts in the [script/](script/fetch-latest-stable-versions.py) folder.
---
## License
MIT - see the [LICENSE](LICENSE) file at the repository root.