Checkmarx · cx-artur-ribeiro · Jul 30, 2025 · Jul 23, 2025 · Jul 23, 2025 · Jul 27, 2025
diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml
@@ -12,7 +12,7 @@ jobs:
       matrix:
         go-version: [1.24.x]
         os: [ubuntu-latest]
-        kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"]
+        kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Cancel Previous Runs

diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml
@@ -66,14 +66,29 @@ jobs:
             org.opencontainers.image.licenses=Apache-2.0
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.created=${{ env.CREATED_AT }}
-      - name: Push alpine to Docker Hub
+      - name: Push main to Docker Hub
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        id: build_main
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }}
+          build-args: |
+            VERSION=${{ steps.get-version.outputs.version }}
+            COMMIT=${{ github.sha }}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+            DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Build and push alpine to Docker Hub
         id: build_alpine
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
+          file: ./docker/Dockerfile.alpine
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: checkmarx/kics:latest,checkmarx/kics:${{ steps.get-version.outputs.version }},checkmarx/kics:alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine
+          tags: checkmarx/kics:alpine,checkmarx/kics:${{ steps.get-version.outputs.version }}-alpine
           build-args: |
             VERSION=${{ steps.get-version.outputs.version }}
             COMMIT=${{ github.sha }}

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -177,14 +177,28 @@ jobs:
             org.opencontainers.image.licenses=Apache-2.0
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.created=${{ env.CREATED_AT }}
-      - name: Push alpine to Docker Hub
+      - name: Push main to Docker Hub
+        id: build_main
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: checkmarx/kics:nightly
+          build-args: |
+            VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }}
+            COMMIT=${{ github.sha }}
+            DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Build and push alpine to Docker Hub
         id: build_alpine
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
+          file: ./docker/Dockerfile.alpine
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: checkmarx/kics:nightly,checkmarx/kics:nightly-alpine
+          tags: checkmarx/kics:nightly-alpine
           build-args: |
             VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }}
             COMMIT=${{ github.sha }}

diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
@@ -0,0 +1,59 @@
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.24.5-alpine AS build_env
+
+# Install build dependencies
+RUN apk add --no-cache git
+
+# Copy the source from the current directory to the Working Directory inside the container
+WORKDIR /app
+
+ENV GOPRIVATE=github.com/Checkmarx/*
+ARG VERSION="development"
+ARG COMMIT="NOCOMMIT"
+ARG SENTRY_DSN=""
+ARG DESCRIPTIONS_URL=""
+ARG TARGETOS
+ARG TARGETARCH
+
+# Copy go mod and sum files
+COPY go.mod go.sum ./
+
+# Get dependencies - will also be cached if we won't change mod/sum
+RUN go mod download -x
+
+# COPY the source code as the last step
+COPY . .
+
+# Build the Go app
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
+    -ldflags "-s -w -X github.com/Checkmarx/kics/v2/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/v2/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/v2/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/v2/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \
+    -a -installsuffix cgo \
+    -o bin/kics cmd/console/main.go
+
+# Runtime image - Alpine base with apk support
+FROM alpine:latest
+
+# Install runtime dependencies including git for scanning repositories
+RUN apk add --no-cache git wget unzip
+
+RUN addgroup -g 1000 checkmarx && \
+    adduser -D -u 1000 -G checkmarx -h /app/bin -s /bin/sh checkmarx
+
+# Copy built binary to the runtime container with proper ownership
+COPY --from=build_env --chown=checkmarx:checkmarx /app/bin/kics /app/bin/kics
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/queries /app/bin/assets/queries
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/cwe_csv /app/bin/assets/cwe_csv
+COPY --from=build_env --chown=checkmarx:checkmarx /app/assets/libraries/* /app/bin/assets/libraries/
+
+WORKDIR /app/bin
+
+# Switch to non-root user for security
+USER checkmarx
+
+# Add kics to PATH
+ENV PATH $PATH:/app/bin
+
+# Healthcheck the container (consistent with Debian variant)
+HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
+
+# Command to run the executable
+ENTRYPOINT ["/app/bin/kics"]
diff --git a/docs/dockerhub.md b/docs/dockerhub.md
@@ -8,16 +8,41 @@ Visit us
 
 https://github.com/Checkmarx/kics
 
-## Command
+## Docker Image Variants
 
-To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see the full list of CLI options below)
+KICS provides several Docker image variants to fit different use cases:
 
-NOTE: from v1.3.0 KICS does not execute `scan` command by default anymore.
+### Available Tags
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
+### Quick Start
 
 ```sh
+# Default image (recommended for most users)
 docker pull checkmarx/kics:latest
+
+# Alpine image (with apk support)
+docker pull checkmarx/kics:alpine
+
+# Debian image (with apt-get support)  
+docker pull checkmarx/kics:debian
+
+# UBI8 image (enterprise/Red Hat environments)
+docker pull checkmarx/kics:ubi8
 ```
 
+## Command
+
+To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see the full list of CLI options below)
+
+NOTE: from v1.3.0 KICS does not execute `scan` command by default anymore.
+
 Scan a directory
 
 ```sh

diff --git a/docs/documentation.md b/docs/documentation.md
@@ -4,17 +4,35 @@ There are multiple ways to get KICS up and running:
 
 #### Docker
 
-KICS is available as a <a href="https://hub.docker.com/r/checkmarx/kics" target="_blank">Docker image</a> and can be used as follows:
+KICS is available as a <a href="https://hub.docker.com/r/checkmarx/kics" target="_blank">Docker image</a> with multiple variants to fit different use cases:
 
 To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the `-p` KICS parameter (see Scan Command Options section below)
 
+**Quick Start:**
 ```shell
 docker pull checkmarx/kics:latest
 docker run -t -v "{path_to_host_folder_to_scan}":/path checkmarx/kics scan -p /path -o "/path/"
 ```
 
+**Available Image Variants:**
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
 You can see the list of available tags in [dockerhub](https://hub.docker.com/r/checkmarx/kics/tags?page=1&ordering=-name)
 
+**Choosing the Right Image:**
+
+- **For most users**: Use `latest` (default, smallest size)
+- **If you need to install additional packages**: Choose based on your preferred package manager:
+  - `alpine` for `apk add` commands
+  - `debian` for `apt-get install` commands  
+  - `ubi8` for `yum install` commands in enterprise environments
+
 ℹ️ **UBI Based Images**
 
 When using [UBI8](https://catalog.redhat.com) based image, the KICS process will run under the `kics` user and `kics` group with default UID=1000 and GID=1000. When using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the `-u` flag that overrides the username:group or UID:GID. e.g:

diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -4,17 +4,35 @@ There are multiple ways to get KICS up and running:
 
 #### Docker
 
-KICS is available as a <a href="https://hub.docker.com/r/checkmarx/kics" target="_blank">Docker image</a> and can be used as follows:
+KICS is available as a <a href="https://hub.docker.com/r/checkmarx/kics" target="_blank">Docker image</a> with multiple variants to fit different use cases:
 
 To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the -p KICS parameter (see Scan Command Options section below)
 
+**Quick Start:**
 ```shell
 docker pull checkmarx/kics:latest
 docker run -t -v "{path_to_host_folder_to_scan}":/path checkmarx/kics scan -p /path -o "/path/"
 ```
 
+**Available Image Variants:**
+
+| Tag | Base OS | Package Manager | Use Case |
+|-----|---------|----------------|----------|
+| `latest`, `v{VERSION}` | Wolfi Linux | None | Default, lightweight image |
+| `alpine`, `v{VERSION}-alpine` | Alpine Linux | `apk` | When you need `apk` package manager |
+| `debian`, `v{VERSION}-debian` | Debian | `apt-get` | When you need `apt-get` package manager |
+| `ubi8`, `v{VERSION}-ubi8` | Red Hat UBI8 | `yum` | Enterprise environments, Red Hat compatible |
+
 You can see the list of available tags in [dockerhub](https://hub.docker.com/r/checkmarx/kics/tags?page=1&ordering=-name)
 
+**Choosing the Right Image:**
+
+- **For most users**: Use `latest` (default, smallest size)
+- **If you need to install additional packages**: Choose based on your preferred package manager:
+  - `alpine` for `apk add` commands
+  - `debian` for `apt-get install` commands  
+  - `ubi8` for `yum install` commands in enterprise environments
+
 ℹ️ **UBI Based Images**
 
 When using [UBI8](https://catalog.redhat.com) based image, the KICS process will run under the `kics` user and `kics` group with default UID=1000 and GID=1000, when using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the `-u` flag that overrides the username:group or UID:GID. e.g: