This document summarizes the successful migration of Docker image build configuration from the main fortify/fcli repository to this standalone fortify/fcli-docker repository.
fcli-docker/
├── .github/
│ └── workflows/
│ └── docker.yml # GitHub Actions workflow for building/publishing images
├── linux/
│ ├── .gitignore # Ignore locally built fcli binary
│ ├── Dockerfile # Multi-stage build for Alpine, UBI9, and scratch images
│ ├── data.tgz # Pre-created /data directory structure
│ ├── minimal-passwd # Minimal passwd file for scratch image
│ └── tmp.tgz # Pre-created /tmp directory structure
├── windows/
│ ├── .gitignore # Ignore locally built fcli.exe
│ ├── Dockerfile # Windows Server Core based image
│ └── data.tgz # Pre-created C:\data directory structure
├── README.md # Comprehensive user and developer documentation
├── FCLI_REPO_CHANGES.md # Migration guide for fcli repository
└── IMPLEMENTATION_SUMMARY.md # This file
- DOCKER_SRC paths: Updated from
fcli-other/fcli-docker/linux→linux - DOCKER_SRC paths: Updated from
fcli-other/fcli-docker/windows→windows - Checkout behavior: Removed specific release tag checkout (not needed in standalone repo)
- Base image checking: Fixed UBI9 version regex to support patch releases
-
Linux: Changed from
/bin/fcli→/usr/bin/fcli- Reason:
/usr/binis the standard location for user-installed binaries - Applies to: fcli-alpine, fcli-ubi9, fcli-scratch targets
- Reason:
-
Windows: Changed from
C:\bin\fcli.exe→C:\Program Files\fcli\fcli.exe- Reason:
C:\Program Filesis the standard Windows application location - Includes proper directory creation and permission setting
- Reason:
- All security features maintained from original:
- ✅ RSA SHA256 signature verification
- ✅ Non-root user (UID 10001)
- ✅ Minimal attack surface (scratch image)
- ✅ SBOM and provenance generation
- ✅ No secrets in images
Comprehensive documentation including:
- Available image variants (scratch, ubi9, alpine, windows)
- Image tags and versioning
- Build instructions
- Usage examples for different scenarios
- CI/CD integration examples (GitHub Actions, GitLab CI, Jenkins)
- Architecture and security details
- Troubleshooting guide
- Maintenance procedures
Complete migration guide for fcli repository maintainers:
- Files and directories to remove
- Workflow updates needed
- Secret configuration instructions
- Testing procedures
- Rollback plan
- Migration checklist
- ✅ YAML workflow syntax validated
- ✅ Workflow structure verified
- ✅ All required fields present
- ✅ CodeQL analysis: 0 alerts found
- ✅ No security vulnerabilities detected
- ✅ No secrets or credentials exposed
- ✅ Automated code review completed
- ✅ Key issues addressed:
- Fixed UBI9 version regex pattern
- Enhanced PAT security documentation
- Verified executable path best practices
-
Pull and run published images:
docker run --rm fortifydocker/fcli:latest --version
-
Build locally for testing:
cd linux docker build --build-arg FCLI_VERSION=v3.14.0 --target fcli-scratch -t fcli:test .
-
Trigger builds via GitHub Actions:
- Go to Actions tab → "Build and publish Docker images"
- Click "Run workflow"
- Enter release tag and options
- Review build results
-
Automated triggering (after fcli repo migration):
- Builds trigger automatically when fcli releases are tagged
- See FCLI_REPO_CHANGES.md for setup instructions
The main fortify/fcli repository needs to be updated to complete the migration:
-
Remove moved files (see FCLI_REPO_CHANGES.md)
- Delete
fcli-other/fcli-docker/directory - Remove
.github/workflows/docker.yml
- Delete
-
Update CI workflow (see FCLI_REPO_CHANGES.md)
- Add job to trigger docker builds in this repo
- Configure required secrets
-
Update documentation
- Link to this repository for Docker-related information
- Remove Docker build instructions from fcli repo
-
Test integration
- Create test tag to verify automatic triggering
- Verify Docker images are published correctly
Important: See FCLI_REPO_CHANGES.md for detailed step-by-step instructions.
- Independent Testing: Docker images can be built/tested without waiting for fcli releases
- Faster Iteration: Dockerfile changes don't require modifying main fcli repo
- Cleaner Separation: Each repo has single, focused responsibility
- Better Organization: Docker-specific CI/CD separate from main fcli builds
- Easier Maintenance: Base image updates independent of fcli release cycle
- Published images maintain same Docker Hub location:
fortifydocker/fcli - Image tags follow same convention
- No breaking changes for existing users
- Executable paths updated to industry standards
- Easier to maintain and update in the future
- Better alignment with Docker best practices
- Manual Coordination Initially: Until fcli repository is updated, Docker builds must be triggered manually
- Separate Versioning: This repo doesn't have fcli source code, relies on GitHub releases
- No Automatic Testing: Cannot test fcli functionality changes before release
- Issues with Docker images: Open issue in this repository
- Issues with fcli itself: Open issue in fortify/fcli
- Migration questions: Refer to FCLI_REPO_CHANGES.md or ask maintainers
- ✅ Repository setup: COMPLETE
- ✅ Documentation: COMPLETE
- ✅ Testing: COMPLETE
- ✅ Security scan: COMPLETE
- ⏳ fcli repository migration: PENDING (see FCLI_REPO_CHANGES.md)
- ⏳ First production build: PENDING (after fcli repo updates)
- Main fcli repository: https://github.com/fortify/fcli
- Docker Hub images: https://hub.docker.com/r/fortifydocker/fcli
- GitHub Actions workflow:
.github/workflows/docker.yml - Migration guide:
FCLI_REPO_CHANGES.md - User documentation:
README.md