Add minimal container image published to ghcr.io on release (#605)

Copilot · frjcomp · web-flow · commit 58d204e1a01e · 2026-04-30T12:19:18.000Z
* Add container image build workflow, Dockerfile, and documentation Agent-Logs-Url: https://github.com/CompassSecurity/pipeleek/sessions/de1b8658-5a1f-427f-9539-9616e902f77a Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com> * Address review comments: update docs wording and add Dependabot Docker support Agent-Logs-Url: https://github.com/CompassSecurity/pipeleek/sessions/23d24dcb-4fe1-4643-8908-40961478b1c2 Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -28,3 +28,11 @@ updates:
       interval: "weekly"
     cooldown:
       default-days: 7
+
+  # Docker base image dependencies
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
@@ -0,0 +1,64 @@
+name: container
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Download release binaries
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.release.tag_name }}
+        run: |
+          VERSION_NO_V="${VERSION#v}"
+          gh release download "${VERSION}" \
+            --pattern "pipeleek_${VERSION_NO_V}_linux_amd64" \
+            --pattern "pipeleek_${VERSION_NO_V}_linux_arm64" \
+            --repo "${{ github.repository }}"
+          mv "pipeleek_${VERSION_NO_V}_linux_amd64" pipeleek_amd64
+          mv "pipeleek_${VERSION_NO_V}_linux_arm64" pipeleek_arm64
+          chmod +x pipeleek_amd64 pipeleek_arm64
+
+      - name: Build and push container image
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,11 @@
+FROM alpine:3.21
+
+RUN apk --no-cache add ca-certificates
+
+ARG TARGETARCH
+
+COPY pipeleek_${TARGETARCH} /usr/local/bin/pipeleek
+
+RUN chmod +x /usr/local/bin/pipeleek
+
+ENTRYPOINT ["/usr/local/bin/pipeleek"]
diff --git a/docs/introduction/getting_started.md b/docs/introduction/getting_started.md
@@ -115,6 +115,45 @@ go install github.com/CompassSecurity/pipeleek/cmd/pipeleek@latest
    .\pipeleek.exe --version
    ```
 
+### Docker
+
+Pipeleek is available as a minimal container image on the GitHub Container Registry.
+
+Pull the latest image:
+
+```bash
+docker pull ghcr.io/compasssecurity/pipeleek:latest
+```
+
+Run Pipeleek directly from the container:
+
+```bash
+docker run --rm ghcr.io/compasssecurity/pipeleek:latest --version
+```
+
+```bash
+docker run --rm ghcr.io/compasssecurity/pipeleek:latest gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com
+```
+
+You can also pass credentials via environment variables:
+
+```bash
+docker run --rm \
+  -e PIPELEEK_TOKEN=glpat-[redacted] \
+  -e PIPELEEK_GITLAB=https://gitlab.example.com \
+  ghcr.io/compasssecurity/pipeleek:latest gl scan
+```
+
+To use a local configuration file inside the container, mount it as a volume:
+
+```bash
+docker run --rm \
+  -v /path/to/pipeleek.yaml:/root/pipeleek.yaml:ro \
+  ghcr.io/compasssecurity/pipeleek:latest gl scan
+```
+
+The image supports both `linux/amd64` and `linux/arm64` architectures. Versioned tags are available for pinning to a specific release (e.g., `ghcr.io/compasssecurity/pipeleek:1.0.0`).
+
 ### Platform-Specific Binaries
 
 Pipeleek also provides platform-specific binaries that include only the commands for a specific platform. These are smaller and can be downloaded manually at [Pipeleek GitHub Releases](https://github.com/CompassSecurity/pipeleek/releases):
