evan.jarrett.net
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
atcr.io
docker
container
atproto
go
1FROM docker.io/golang:1.25.7-trixie AS builder
2
3ENV DEBIAN_FRONTEND=noninteractive
4
5RUN apt-get update && \
6 apt-get install -y --no-install-recommends sqlite3 libsqlite3-dev && \
7 rm -rf /var/lib/apt/lists/*
8
9WORKDIR /build
10
11# Disable workspace mode — go.work references modules not in the Docker context
12ENV GOWORK=off
13
14# Copy module definitions first for layer caching
15COPY go.mod go.sum ./
16COPY scanner/go.mod scanner/go.sum ./scanner/
17
18RUN cd scanner && go mod download
19
20# Copy full source
21COPY . .
22
23RUN cd scanner && CGO_ENABLED=1 go build \
24 -ldflags="-s -w -linkmode external -extldflags '-static'" \
25 -trimpath \
26 -o /build/atcr-scanner ./cmd/scanner
27
28# ==========================================
29# Stage 2: Minimal FROM scratch runtime
30# ==========================================
31FROM scratch
32
33# Copy CA certificates for HTTPS (presigned URL downloads)
34COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
35# Copy timezone data for timestamp formatting
36COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
37# Copy binary
38COPY --from=builder /build/atcr-scanner /atcr-scanner
39
40# Expose health endpoint port
41EXPOSE 9090
42
43# OCI image annotations
44LABEL org.opencontainers.image.title="ATCR Scanner" \
45 org.opencontainers.image.description="ATCR Scanner - container image vulnerability scanner with Syft and Grype" \
46 org.opencontainers.image.authors="ATCR Contributors" \
47 org.opencontainers.image.source="https://tangled.org/evan.jarrett.net/at-container-registry" \
48 org.opencontainers.image.documentation="https://tangled.org/evan.jarrett.net/at-container-registry" \
49 org.opencontainers.image.licenses="MIT" \
50 org.opencontainers.image.version="0.1.0"
51
52ENTRYPOINT ["/atcr-scanner"]
53CMD ["serve"]