gohoarder/Dockerfile.scanner

# Scanning Engine - Background Scanner Worker
# Multi-stage build to compile with CGO support
ARG TARGETOS=linux
ARG TARGETARCH=amd64

# Build stage
FROM --platform=$TARGETOS/$TARGETARCH golang:1.23-alpine AS builder

# Install build dependencies for CGO
RUN apk add --no-cache \
    gcc \
    g++ \
    musl-dev \
    sqlite-dev \
    git

WORKDIR /build

# Copy go mod files
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Build with CGO enabled
ARG TARGETOS
ARG TARGETARCH
ARG VERSION=dev
ARG GIT_COMMIT=unknown
ARG BUILD_TIME=unknown

RUN CGO_ENABLED=1 GOOS=$TARGETOS GOARCH=$TARGETARCH \
    go build -ldflags="-s -w \
    -X github.com/lukaszraczylo/gohoarder/internal/version.Version=${VERSION} \
    -X github.com/lukaszraczylo/gohoarder/internal/version.GitCommit=${GIT_COMMIT} \
    -X github.com/lukaszraczylo/gohoarder/internal/version.BuildTime=${BUILD_TIME}" \
    -o gohoarder ./cmd/gohoarder

# Runtime stage
FROM alpine:latest

# Install scanning tools and runtime dependencies (including CGO/SQLite dependencies)
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    git \
    curl \
    wget \
    bash \
    sqlite-libs \
    musl \
    && update-ca-certificates

# Install Trivy for container scanning
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

# Install Grype for vulnerability scanning
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Create non-root user
RUN addgroup -g 1000 scanner && \
    adduser -D -u 1000 -G scanner scanner

# Create necessary directories with proper permissions
RUN mkdir -p /var/cache/gohoarder \
             /var/lib/gohoarder/metadata \
             /var/lib/trivy \
             /tmp/gohoarder && \
    chown -R scanner:scanner /var/cache/gohoarder \
                              /var/lib/gohoarder \
                              /var/lib/trivy \
                              /tmp/gohoarder && \
    chmod -R 750 /var/cache/gohoarder \
                 /var/lib/gohoarder \
                 /var/lib/trivy

# Copy binary from builder
COPY --from=builder /build/gohoarder /usr/local/bin/gohoarder
RUN chmod +x /usr/local/bin/gohoarder

# Copy example config
COPY config.yaml.example /etc/gohoarder/config.yaml.example

WORKDIR /var/cache/gohoarder
USER scanner

# Expose metrics port
EXPOSE 9091

# Health check
HEALTHCHECK --interval=60s --timeout=30s --start-period=10s --retries=3 \
    CMD ["/usr/local/bin/gohoarder", "version"] || exit 1

# Environment variables for scanner mode
ENV SCANNER_MODE=true \
    SCANNER_WORKERS=4 \
    SCANNER_INTERVAL=300

# Run the scanner in background mode
# The scanner runs the same serve command but uses SCANNER_MODE env var
# and configuration to determine its role
ENTRYPOINT ["/usr/local/bin/gohoarder"]
CMD ["serve"]