herodevs · rlmestre · Aug 18, 2025 · Aug 15, 2025
@@ -1,6 +1,9 @@
 name: Manual Release
 run-name: Production Release ${{ github.ref_name }} (pushed by ${{ github.actor }})
 
+env:
+  IMAGE_NAME: ghcr.io/herodevs/eol-scan
+
 on:
   push:
     tags:
@@ -156,3 +159,54 @@ jobs:
         run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.HD_CLI_NPM_TOKEN }}
+
+  publish-images:
+    name: Publish Images
+    needs: [check-version, test]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          dotnet: false
+          haskell: false
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+
+      - name: Parse tag
+        run: echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: |
+            name=${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,format=long
+            type=raw,value=latest
+            type=raw,value=${{ env.VERSION }}
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v6
+        with:
+          context: . 
+          file: ./ci/image.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VERSION=${{ needs.check-version.outputs.version }}
@@ -88,3 +88,5 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
@@ -30,7 +30,6 @@ The CLI is designed to be non-invasive:
 * It analyzes the project in its current state
 * If you need dependencies installed for accurate scanning, please install them manually before running the scan
 
-
 ## Usage
 <!-- usage -->
 ```sh-session
@@ -245,3 +244,12 @@ eol-scan:
     - echo # Prepare environment, install tooling, perform setup, etc.
     - npx @herodevs/cli@beta
 ```
+
+## Local Docker image scans
+
+The same pre-configured image can be pulled locally to scan in an optimized environment. Mount your code
+to `/app` or a specified working directory to perform the scan:
+
+```shell
+docker run -v "$PWD":/app ghcr.io/herodevs/eol-scan
+```
@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+set -eu
+
+SCAN_DIR="${GITHUB_WORKSPACE:-$PWD}"
+SCAN_DIR="$(cd "$SCAN_DIR" 2>/dev/null && pwd || echo "$SCAN_DIR")"
+
+# Verify the working dir (or GHA workspace) is a mount
+if ! grep -q " $SCAN_DIR " /proc/self/mountinfo 2>/dev/null; then
+  echo "No volume mounted to scan. To run with your project mounted:" >&2
+  echo "  docker run --rm -v \"\$PWD\":/app ghcr.io/herodevs/eol-scan [--flags]" >&2
+  exit 1
+fi
+
+cd "$SCAN_DIR"
+exec hd scan eol "$@"
@@ -1,6 +1,11 @@
 FROM ghcr.io/cyclonedx/cdxgen:v11.4.3
+ENV NODE_NO_WARNINGS=1 \
+    NPM_CONFIG_UPDATE_NOTIFIER=false \
+    NPM_CONFIG_LOGLEVEL=error
 WORKDIR /app
-COPY . .
-RUN npm config set update-notifier false && npm config set loglevel error
-ENV NODE_NO_WARNINGS=1
-ENTRYPOINT ["npm", "exec", "-y", "@herodevs/cli@beta", "--", "scan:eol"]
+ARG VERSION=beta
+USER root
+RUN npm install -g @herodevs/cli@${VERSION}
+COPY --chmod=755 ci/docker-entrypoint.sh /usr/local/bin/hd-entrypoint
+USER cyclonedx
+ENTRYPOINT ["hd-entrypoint"]