No description
Clément BREISCH
4119c2aa1c
Some checks failed
Build MariaDB / Load Configuration (push) Successful in 2s
Build MongoDB / Load Configuration (push) Successful in 2s
Build All / Load Configuration (push) Successful in 2s
Build PostgreSQL / Load Configuration (push) Successful in 2s
Build MariaDB / Build (maria11) (push) Failing after 51s
Build All / Build (all) (push) Failing after 2m54s
Build All / Test PostgreSQL with all image (push) Has been skipped
Build All / Test MariaDB with all image (push) Has been skipped
Build All / Test MongoDB with all image (push) Has been skipped
Build All / Security Scan (all) (push) Has been skipped
Build All / Compliance Scan (all) (push) Has been skipped
Build All / Push (all) (push) Has been skipped
Build MariaDB / Build (maria12) (push) Successful in 3m44s
Build MariaDB / Test MariaDB 11 (push) Has been skipped
Build MariaDB / Test MariaDB 12 (push) Has been skipped
Build MariaDB / Security Scan (maria11) (push) Has been skipped
Build MariaDB / Security Scan (maria12) (push) Has been skipped
Build MariaDB / Compliance Scan (maria11) (push) Has been skipped
Build MariaDB / Compliance Scan (maria12) (push) Has been skipped
Build MariaDB / Push (maria11) (push) Has been skipped
Build MariaDB / Push (maria12) (push) Has been skipped
Build MariaDB / Tag maria-latest (push) Has been skipped
Build MongoDB / Build (mongo7) (push) Failing after 2m30s
Build MongoDB / Build (mongo8) (push) Failing after 2m33s
Build MongoDB / Test MongoDB 7 (push) Has been skipped
Build MongoDB / Test MongoDB 8 (push) Has been skipped
Build MongoDB / Security Scan (mongo7) (push) Has been skipped
Build MongoDB / Security Scan (mongo8) (push) Has been skipped
Build MongoDB / Compliance Scan (mongo7) (push) Has been skipped
Build MongoDB / Compliance Scan (mongo8) (push) Has been skipped
Build MongoDB / Push (mongo7) (push) Has been skipped
Build MongoDB / Push (mongo8) (push) Has been skipped
Build MongoDB / Tag mongo-latest (push) Has been skipped
Build PostgreSQL / Build (pg16) (push) Successful in 3m21s
Build PostgreSQL / Build (pg17) (push) Successful in 3m20s
Build All / Cleanup (push) Successful in 0s
Build MariaDB / Cleanup (push) Successful in 0s
Build MongoDB / Cleanup (push) Successful in 1s
Build PostgreSQL / Build (pg18) (push) Successful in 3m21s
Build PostgreSQL / Test PostgreSQL 16 (push) Failing after 10s
Build PostgreSQL / Test PostgreSQL 17 (push) Failing after 9s
Build PostgreSQL / Test PostgreSQL 18 (push) Failing after 7s
Build PostgreSQL / Security Scan (pg16) (push) Has been skipped
Build PostgreSQL / Security Scan (pg17) (push) Has been skipped
Build PostgreSQL / Security Scan (pg18) (push) Has been skipped
Build PostgreSQL / Compliance Scan (pg16) (push) Has been skipped
Build PostgreSQL / Compliance Scan (pg17) (push) Has been skipped
Build PostgreSQL / Compliance Scan (pg18) (push) Has been skipped
Build PostgreSQL / Push (pg16) (push) Has been skipped
Build PostgreSQL / Push (pg17) (push) Has been skipped
Build PostgreSQL / Push (pg18) (push) Has been skipped
Build PostgreSQL / Tag pg-latest (push) Has been skipped
Build PostgreSQL / Cleanup (push) Successful in 1s
|
||
|---|---|---|
| .github/workflows | ||
| docker | ||
| image | ||
| src | ||
| .gitignore | ||
| .metadata.json | ||
| Cargo.lock | ||
| Cargo.toml | ||
| LICENSE | ||
| README.md | ||
| SECURITY.md | ||
IMAGE_NAME Distroless
Minimal, secure IMAGE_NAME container images based on Google's distroless base.
Features
- Minimal footprint: Small image size, reduced attack surface
- Multi-architecture: linux/amd64 and linux/arm64
- Distroless base: No shell, no package manager
- Security-first: Runs as non-root (UID 65532), binaries owned by root
- Multiple versions: VERSION_1 and VERSION_2
Quick Start
# Basic usage
docker run -d \
-p 8080:8080 \
git.breis.ch/images/IMAGE_NAME:VERSION_2
# With persistent data
docker run -d \
-v appdata:/app/data \
-p 8080:8080 \
git.breis.ch/images/IMAGE_NAME:VERSION_2
Available Tags
| Tag | Version | Notes |
|---|---|---|
VERSION_2, latest |
VERSION_2.x | Latest stable |
VERSION_1 |
VERSION_1.x | Previous stable |
Environment Variables
| Variable | Default | Description |
|---|---|---|
APP_CONFIG |
- | Configuration file path |
APP_LOG_LEVEL |
info |
Log level (debug, info, warn, error) |
Security
File Ownership
| Path | Owner | Permissions |
|---|---|---|
/app/bin/* |
root | Execute only |
/app/lib/* |
root | Read only |
/app/data/* |
65532 (nonroot) | Read/Write |
The application process cannot modify its own binaries.
Runtime Hardening (Recommended)
For maximum security, run with these Docker flags:
docker run -d \
--read-only \
--tmpfs /tmp \
--cap-drop=ALL \
--security-opt=no-new-privileges:true \
-v appdata:/app/data \
-p 8080:8080 \
git.breis.ch/images/IMAGE_NAME:VERSION_2
| Flag | Purpose |
|---|---|
--read-only |
Immutable root filesystem |
--tmpfs /tmp |
Writable temp directory |
--cap-drop=ALL |
Drop all Linux capabilities |
--security-opt=no-new-privileges |
Prevent privilege escalation |
For Kubernetes, use equivalent securityContext:
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 65532
Volumes
| Path | Description |
|---|---|
/app/data |
Data directory (mount for persistence) |
Ports
| Port | Description |
|---|---|
| 8080 | Application port |
Healthcheck
The image includes a built-in healthcheck:
docker inspect --format='{{.State.Health.Status}}' container_name
License
MIT License