Added dockerfile and github action to build and publish it

2025-07-15 16:42:22 -07:00 · 2025-07-15 16:42:22 -07:00 · 507b8e2b5e
commit 507b8e2b5e
parent 610a27015c
4 changed files with 59 additions and 3 deletions
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@ -0,0 +1,30 @@
+# .github/workflows/release-docker.yml
+name: Publish Docker image
+on:
+  push:
+    tags: ["v*.*.*"]        # every semantic-version tag
+permissions:
+  contents: read
+  packages: write
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/mongodb/kingfisher:latest
+            ghcr.io/mongodb/kingfisher:${{ github.ref_name }}
--- a/7
+++ b/7
@ -366,6 +366,13 @@ all: linux darwin
 	@echo -e "\nCombined Checksums:"
 	@cat target/release/CHECKSUMS.txt

+dockerfile:
+# Build for the host architecture (default)
+	docker build -t kingfisher:latest .
+
+# Cross‑build for arm64 from an x64 machine
+	docker buildx build --platform linux/arm64 -t kingfisher:arm64 .
+
 list-archives:
 	@echo -e "\n=== Built archives ==="
 	@found=0; \
--- a/README.md
+++ b/README.md
@ -58,6 +58,26 @@ make darwin-all # builds both x64 and arm64
 make all # builds for every OS and architecture supported
 ```

+### Run Kingfisher in Docker
+
+
+Run the dockerized Kingfisher container:
+```bash
+# GitHub Container Registry 
+docker run --rm ghcr.io/mongodb/kingfisher:latest --version
+
+# Scan the current working directory
+# (mounts your code at /src and scans it)
+docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src
+
+# Scan while providing a GitHub token
+docker run --rm -e KF_GITHUB_TOKEN=ghp_… -v "$PWD":/proj ghcr.io/mongodb/kingfisher:latest scan --git-url https://github.com/org/private_repo.git
+
+# Scan and output as json
+docker run --rm -v "$PWD":/proj ghcr.io/mongodb/kingfisher:latest scan /proj --format json --output findings.json
+```
+
+
 # Write Custom Rules!

 Kingfisher ships with hundreds of rules with HTTP and service‑specific validation checks (AWS, Azure, GCP, etc.) to confirm if a detected string is a live credential.
--- a/data/rules/datadog.yml
+++ b/data/rules/datadog.yml
@ -5,7 +5,7 @@ rules:
      (?xi) 
      \b
      (?:datadog|dd-|dd_)
-      (?:.|[\n\r]){0,32}?
+      (?:.|[\n\r]){0,16}?
      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
      (?:.|[\n\r]){0,32}?
      \b                     
@ -46,8 +46,7 @@ rules:
      \b                     
      (?:
        dd[_-]?\w{0,8}[_-]?(?:key|secret) |
-        datadog |
-        dog
+        datadog
      )
      (?:.|[\n\r]){0,64}?
      \b