Docker image reference
Build args, bundled tools, worker mode, GHCR publish
The Docker image bundles the CLI (scan) and optional worker (platform queue processing).
For scanning repos locally or in CI, start with the product guide: scan-product.md.
Commands
| Command | Purpose |
|---|---|
scan /repo [flags] | Scan a mounted directory (no platform required) |
worker | Poll Postgres for queued scans (platform) |
worker --drain | Process all queued jobs, then exit |
Build
From the repository root:
pnpm docker:buildOr:
docker build -f infrastructure/docker/Dockerfile -t security-scanner:local .Build args (defaults in Dockerfile):
| Arg | Default | Tool |
|---|---|---|
TRIVY_VERSION | 0.71.2 | Dependency & CVE scanner |
SEMGREP_VERSION | 1.95.0 | SAST (pip) |
SYFT_VERSION | 1.18.1 | SBOM generator |
GITLEAKS_VERSION | 8.21.2 | Secret scanner |
CHECKOV_VERSION | 3.2.428 | IaC scanner (pip) |
Example with pinned versions:
docker build -f infrastructure/docker/Dockerfile \
--build-arg TRIVY_VERSION=0.71.2 \
--build-arg GITLEAKS_VERSION=8.21.2 \
-t security-scanner:local .Scan (see scan-product.md for full guide)
docker run --rm -v "$(pwd):/repo:ro" security-scanner:local scan /repo
docker run --rm -v "$(pwd):/repo:ro" security-scanner:local \
scan /repo --scanners all --format json --fail-on highSyft writes .scantis/sbom.cyclonedx.json inside the scan target — use a read-write mount if you need the file on the host:
docker run --rm -v "$(pwd):/repo" security-scanner:local scan /repo --scanners syftWorker (platform only)
Process scans queued by the hosted dashboard/API:
docker run --rm --env-file .env security-scanner:local worker --drainRequired in .env:
DATABASE_URL=postgresql://...@neon.tech/neondb?sslmode=require
DASHBOARD_URL=https://your-app.vercel.appFor GitHub PR scans, also set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.
See vercel-neon-local-worker.md.
Publish to GHCR
Tag a release:
git tag v0.1.0
git push origin v0.1.0Workflow: .github/workflows/docker-publish.yml → ghcr.io/szaranger/security-scanner:latest
Image contents
| Tool | Installed as |
|---|---|
| Trivy | Binary (TRIVY_VERSION) |
| Semgrep | pip (SEMGREP_VERSION) |
| Syft | Binary (SYFT_VERSION) |
| Gitleaks | Binary (GITLEAKS_VERSION) |
| Checkov | pip (CHECKOV_VERSION) |
| git | PR clone in worker mode |
Scanners use binaries inside the container (not Docker-in-Docker).
Troubleshooting
| Issue | Fix |
|---|---|
| Permission denied on volume | Path must exist; Docker must be able to read the mount |
| Worker finds no jobs | Same DATABASE_URL as Vercel; queue a scan via API or webhook first |
| PR scan fails | Set GitHub App credentials in --env-file |
| Slow first scan | Trivy/Semgrep download rule DBs on first run |
| No SBOM file on host | Syft writes under .scantis/ in the mount — use read-write volume |
| Checkov skipped | No IaC files detected under scan root (expected for pure app repos) |