diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml
index 6c9f829fd64..0842636459e 100644
--- a/.github/workflows/go-e2e.yaml
+++ b/.github/workflows/go-e2e.yaml
@@ -12,7 +12,7 @@ jobs:
matrix:
go-version: [1.24.x]
os: [ubuntu-latest]
- kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"]
+ kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
runs-on: ${{ matrix.os }}
steps:
- name: Cancel Previous Runs
diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml
index 2ea67e17a05..892b0ed28fb 100644
--- a/.github/workflows/release-dkr-image.yml
+++ b/.github/workflows/release-dkr-image.yml
@@ -66,14 +66,29 @@ jobs:
org.opencontainers.image.licenses=Apache-2.0
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.created=${{ env.CREATED_AT }}
- - name: Push alpine to Docker Hub
+ - name: Push main to Docker Hub
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ id: build_main
+ with:
+ context: .
+ push: true
+ platforms: linux/amd64,linux/arm64
+ tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }}
+ build-args: |
+ VERSION=${{ steps.get-version.outputs.version }}
+ COMMIT=${{ github.sha }}
+ SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+ DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
+ labels: ${{ steps.meta.outputs.labels }}
+ - name: Build and push alpine to Docker Hub
id: build_alpine
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
+ file: ./docker/Dockerfile.alpine
push: true
platforms: linux/amd64,linux/arm64
- tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }},checkmarx/kics:alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine
+ tags: checkmarx/kics:alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine
build-args: |
VERSION=${{ steps.get-version.outputs.version }}
COMMIT=${{ github.sha }}
diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
index b5e0a9f84b3..6137c8902d7 100644
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -177,14 +177,28 @@ jobs:
org.opencontainers.image.licenses=Apache-2.0
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.created=${{ env.CREATED_AT }}
- - name: Push alpine to Docker Hub
+ - name: Push main to Docker Hub
+ id: build_main
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ with:
+ context: .
+ push: true
+ platforms: linux/amd64,linux/arm64
+ tags: checkmarx/kics:nightly
+ build-args: |
+ VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }}
+ COMMIT=${{ github.sha }}
+ DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
+ labels: ${{ steps.meta.outputs.labels }}
+ - name: Build and push alpine to Docker Hub
id: build_alpine
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
+ file: ./docker/Dockerfile.alpine
push: true
platforms: linux/amd64,linux/arm64
- tags: checkmarx/kics:nightly,checkmarx/kics:nightly-alpine
+ tags: checkmarx/kics:nightly-alpine
build-args: |
VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }}
COMMIT=${{ github.sha }}
diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
new file mode 100644
index 00000000000..459f5e0f6d6
--- /dev/null
+++ b/docker/Dockerfile.alpine
@@ -0,0 +1,59 @@
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.24.5-alpine AS build_env
+
+# Install build dependencies
+RUN apk add --no-cache git
+
+# Copy the source from the current directory to the Working Directory inside the container
+WORKDIR /app
+
+ENV GOPRIVATE=github.com/Checkmarx/*
+ARG VERSION="development"
+ARG COMMIT="NOCOMMIT"
+ARG SENTRY_DSN=""
+ARG DESCRIPTIONS_URL=""
+ARG TARGETOS
+ARG TARGETARCH
+
+# Copy go mod and sum files
+COPY go.mod go.sum ./
+
+# Get dependencies - will also be cached if we won't change mod/sum
+RUN go mod download -x
+
+# COPY the source code as the last step
+COPY . .
+
+# Build the Go app
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
+ -ldflags "-s -w -X github.com/Checkmarx/kics/v2/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/v2/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/v2/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/v2/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \
+ -a -installsuffix cgo \
+ -o bin/kics cmd/console/main.go
+
+# Runtime image - Alpine base with apk support
+FROM alpine:latest
+
+# Install runtime dependencies including git for scanning repositories
+RUN apk add --no-cache git wget unzip
+
+RUN addgroup -g 1000 checkmarx && \
+ adduser -D -u 1000 -G checkmarx -h /app/bin -s /bin/sh checkmarx
+
+# Copy built binary to the runtime container with proper ownership
+COPY --from=build_env --chown=checkmarx:checkmarx /app/bin/kics /app/bin/kics
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/queries /app/bin/assets/queries
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/cwe_csv /app/bin/assets/cwe_csv
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/libraries/* /app/bin/assets/libraries/
+
+WORKDIR /app/bin
+
+# Switch to non-root user for security
+USER checkmarx
+
+# Add kics to PATH
+ENV PATH $PATH:/app/bin
+
+# Healthcheck the container (consistent with Debian variant)
+HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
+
+# Command to run the executable
+ENTRYPOINT ["/app/bin/kics"]
diff --git a/docs/dockerhub.md b/docs/dockerhub.md
index b8fe69d373f..3f8838a3af0 100644
--- a/docs/dockerhub.md
+++ b/docs/dockerhub.md
@@ -8,16 +8,41 @@ Visit us
https://github.com/Checkmarx/kics
-## Command
+## Docker Image Variants
-To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see the full list of CLI options below)
+KICS provides several Docker image variants to fit different use cases:
-NOTE: from v1.3.0 KICS does not execute `scan` command by default anymore.
+### Available Tags
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
+### Quick Start
```sh
+# Default image (recommended for most users)
docker pull checkmarx/kics:latest
+
+# Alpine image (with apk support)
+docker pull checkmarx/kics:alpine
+
+# Debian image (with apt-get support)
+docker pull checkmarx/kics:debian
+
+# UBI8 image (enterprise/Red Hat environments)
+docker pull checkmarx/kics:ubi8
```
+## Command
+
+To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see the full list of CLI options below)
+
+NOTE: from v1.3.0 KICS does not execute `scan` command by default anymore.
+
Scan a directory
```sh
diff --git a/docs/documentation.md b/docs/documentation.md
index 8d29fbc961b..01c94903799 100644
--- a/docs/documentation.md
+++ b/docs/documentation.md
@@ -4,17 +4,35 @@ There are multiple ways to get KICS up and running:
#### Docker
-KICS is available as a Docker image and can be used as follows:
+KICS is available as a Docker image with multiple variants to fit different use cases:
To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see Scan Command Options section below)
+**Quick Start:**
```shell
docker pull checkmarx/kics:latest
docker run -t -v "{path_to_host_folder_to_scan}":/path checkmarx/kics scan -p /path -o "/path/"
```
+**Available Image Variants:**
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
You can see the list of available tags in [dockerhub](https://hub.docker.com/r/checkmarx/kics/tags?page=1&ordering=-name)
+**Choosing the Right Image:**
+
+- **For most users**: Use `latest` (default, smallest size)
+- **If you need to install additional packages**: Choose based on your preferred package manager:
+ - `alpine` for `apk add` commands
+ - `debian` for `apt-get install` commands
+ - `ubi8` for `yum install` commands in enterprise environments
+
ℹ️ **UBI Based Images**
When using [UBI8](https://catalog.redhat.com) based image, the KICS process will run under the `kics` user and `kics` group with default UID=1000 and GID=1000. When using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the `-u` flag that overrides the username:group or UID:GID. e.g:
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 6dd895f814f..9808a61fe35 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -4,17 +4,35 @@ There are multiple ways to get KICS up and running:
#### Docker
-KICS is available as a Docker image and can be used as follows:
+KICS is available as a Docker image with multiple variants to fit different use cases:
To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the -p KICS parameter (see Scan Command Options section below)
+**Quick Start:**
```shell
docker pull checkmarx/kics:latest
docker run -t -v "{path_to_host_folder_to_scan}":/path checkmarx/kics scan -p /path -o "/path/"
```
+**Available Image Variants:**
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
You can see the list of available tags in [dockerhub](https://hub.docker.com/r/checkmarx/kics/tags?page=1&ordering=-name)
+**Choosing the Right Image:**
+
+- **For most users**: Use `latest` (default, smallest size)
+- **If you need to install additional packages**: Choose based on your preferred package manager:
+ - `alpine` for `apk add` commands
+ - `debian` for `apt-get install` commands
+ - `ubi8` for `yum install` commands in enterprise environments
+
ℹ️ **UBI Based Images**
When using [UBI8](https://catalog.redhat.com) based image, the KICS process will run under the `kics` user and `kics` group with default UID=1000 and GID=1000, when using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the `-u` flag that overrides the username:group or UID:GID. e.g: