Skip to content

getarcaneapp/tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.depot/workflows
.depot/workflows
 
 
.github
.github
 
 
checksums
checksums
 
 
scripts
scripts
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Justfile
Justfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.yaml
build.yaml
 
 

Repository files navigation

Arcane Toolbox Image

Minimal runtime toolbox image for Arcane volume browsing, security scans and other tools.

What this image contains

The final image is built FROM scratch and contains only:

  • trivy (installed at /usr/local/bin/trivy)
  • A statically linked BusyBox binary at /bin/busybox
  • A curated set of BusyBox applets exposed as standalone commands in /bin:
    • sh
    • sleep
    • find
    • gzip
    • stat
    • readlink
    • head
    • rm
    • mkdir
    • mv
    • rmdir
    • mktemp
    • tar
    • test
  • CA certificates bundle at /etc/ssl/certs/ca-certificates.crt
  • Writable runtime directories:
    • /tmp (mode 1777)
    • /root/.cache

Versions and provenance

Pinned versions, source URLs, and checksum verification details are tracked in checksums/manifest.md (generated from build.yaml by just prepare) alongside the per-binary checksum files in checksums/.

Trivy database mirror

This repo also mirrors the three Trivy OCI databases needed for Trivy self-hosting to ghcr.io/getarcaneapp on a 6-hour cron:

Database Mirror reference
Vulnerability DB ghcr.io/getarcaneapp/trivy-db:2
Java DB ghcr.io/getarcaneapp/trivy-java-db:1
Checks (misconfig) ghcr.io/getarcaneapp/trivy-checks:1

The mirror runs via .github/workflows/mirror-trivy-db.yaml and copies upstream OCI artifacts verbatim — the mirrored digest matches upstream exactly. Mirror entries are declared in build.yaml under mirrors:. Mirrored artifacts are signed with the same cosign key as ghcr.io/getarcaneapp/tools and have GitHub provenance attestations attached.

To point Trivy at the mirror:

trivy image \
  --db-repository            ghcr.io/getarcaneapp/trivy-db:2 \
  --java-db-repository       ghcr.io/getarcaneapp/trivy-java-db:1 \
  --checks-bundle-repository ghcr.io/getarcaneapp/trivy-checks:1 \
  <image>

Building

The build is driven by build.yaml (versions, target platforms, BusyBox config flags, applet symlinks) and orchestrated by a Justfile.

Prereqs:

  • just
  • yq v4+
  • docker with buildx

Common recipes:

just              # list recipes
just versions     # print resolved values from build.yaml
just prepare      # render dist/busybox.config and dist/applets.txt from YAML
just build        # build image for the local platform, load as arcane-toolbox:dev
just validate     # run runtime-contract checks against arcane-toolbox:ci
just clean        # remove dist/

To bump a pinned version, edit build.yaml and update the matching file in checksums/ (checksums/trivy.txt or checksums/busybox.sha256).

About

Docker Image for tools used by arcane

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors

Languages