gohoarder/Dockerfile.scanner

# Scanning Engine - Background Scanner Worker
# This Dockerfile expects a PRE-BUILT binary from GoReleaser (no compilation)
# GoReleaser injects the platform-specific binary automatically

FROM --platform=$TARGETPLATFORM alpine:latest

ARG TARGETARCH

# Install scanning tools and runtime dependencies (including CGO/SQLite dependencies)
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    git \
    curl \
    wget \
    bash \
    sqlite-libs \
    musl \
    python3 \
    py3-pip \
    npm \
    go \
    && update-ca-certificates

# Install Trivy for container scanning
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

# Install Grype for vulnerability scanning
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Install govulncheck for Go vulnerability scanning
RUN go install golang.org/x/vuln/cmd/govulncheck@latest && \
    mv /root/go/bin/govulncheck /usr/local/bin/

# Install pip-audit for Python package vulnerability scanning
RUN pip3 install --no-cache-dir pip-audit --break-system-packages

# Create non-root user
RUN addgroup -g 1000 scanner && \
    adduser -D -u 1000 -G scanner scanner

# Create necessary directories with proper permissions
RUN mkdir -p /var/cache/gohoarder \
             /var/lib/gohoarder/metadata \
             /var/lib/trivy \
             /tmp/gohoarder && \
    chown -R scanner:scanner /var/cache/gohoarder \
                              /var/lib/gohoarder \
                              /var/lib/trivy \
                              /tmp/gohoarder && \
    chmod -R 750 /var/cache/gohoarder \
                 /var/lib/gohoarder \
                 /var/lib/trivy

# Copy pre-built binary from GoReleaser
# GoReleaser will automatically inject the correct binary for the target platform
# In split/merge mode, binaries are in linux/${TARGETARCH}/ subdirectories
COPY linux/${TARGETARCH}/gohoarder /usr/local/bin/gohoarder
RUN chmod +x /usr/local/bin/gohoarder

# Copy example config
COPY config.yaml.example /etc/gohoarder/config.yaml.example

WORKDIR /var/cache/gohoarder
USER scanner

# Expose metrics port
EXPOSE 9091

# Health check
HEALTHCHECK --interval=60s --timeout=30s --start-period=10s --retries=3 \
    CMD ["/usr/local/bin/gohoarder", "version"] || exit 1

# Environment variables for scanner mode
ENV SCANNER_MODE=true \
    SCANNER_WORKERS=4 \
    SCANNER_INTERVAL=300

# Run the scanner in background mode
# The scanner runs the same serve command but uses SCANNER_MODE env var
# and configuration to determine its role
ENTRYPOINT ["/usr/local/bin/gohoarder"]
CMD ["serve"]