Goal
Publish an official OCI image so users can run darnit in CI without managing a Python toolchain on the runner.
Scope
- Multi-arch image (
linux/amd64, linux/arm64) published to GHCR (ghcr.io/kusari-oss/darnit).
- Includes runtime deps users routinely need:
git, gh CLI, tree-sitter grammars already bundled via pip.
- Tagged variants:
:latest — last stable release:vX.Y.Z — pinned releases:edge — main branch
- Signed with cosign (keyless / OIDC).
- SBOM attached as attestation.
Decisions to make
- Base image:
python:3.12-slim vs. distroless vs. cgr.dev/chainguard/python. Chainguard gives best SBOM/vuln posture but harder to extend; slim is simplest.
- Should the image bundle
gh CLI? Useful for most controls but adds size.
- Entry point:
darnit-mcp stdio MCP server, or darnit audit CLI? Probably both, with darnit as the entry point and subcommands.
Acceptance
Goal
Publish an official OCI image so users can run darnit in CI without managing a Python toolchain on the runner.
Scope
linux/amd64,linux/arm64) published to GHCR (ghcr.io/kusari-oss/darnit).git,ghCLI, tree-sitter grammars already bundled via pip.:latest— last stable release:vX.Y.Z— pinned releases:edge— main branchDecisions to make
python:3.12-slimvs. distroless vs.cgr.dev/chainguard/python. Chainguard gives best SBOM/vuln posture but harder to extend; slim is simplest.ghCLI? Useful for most controls but adds size.darnit-mcpstdio MCP server, ordarnit auditCLI? Probably both, withdarnitas the entry point and subcommands.Acceptance
docker run --rm -v $PWD:/repo ghcr.io/kusari-oss/darnit:latest auditworks on a sample repo.cosign download attestation.