Minimal, security-hardened base image for static Go binaries. Distroless, non-root, zero vulnerabilities.
FROM swantron/secure-base:latest
COPY myapp /app
ENTRYPOINT ["/app"]- Distroless base (no shell, no package manager)
- Non-root user (uid 65532)
- Automated Trivy security scanning
- Build fails on CRITICAL/HIGH vulnerabilities
- Comprehensive integration tests
-
Add GitHub Secrets:
DOCKERHUB_USERNAMEDOCKERHUB_TOKEN
-
Create a release:
git tag v1.0.0 git push origin v1.0.0
The workflow automatically builds, scans, and publishes to Docker Hub.
Run integration tests locally:
./test.shTests verify: non-root user, no shell access, no package manager, CA certificates, minimal size, and read-only filesystem support.
MIT