FullStackS-GmbH
diff --git a/‎.github/workflows/docker-build.yml‎
Lines changed: 22 additions & 4 deletions b/‎.github/workflows/docker-build.yml‎
Lines changed: 22 additions & 4 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 16 additions & 18 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 16 additions & 18 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 5 deletions b/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎Dockerfile‎
Lines changed: 0 additions & 52 deletions b/‎Dockerfile‎
Lines changed: 0 additions & 52 deletions
diff --git a/‎docker/Dockerfile‎
Lines changed: 37 additions & 0 deletions b/‎docker/Dockerfile‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎docker/cnspec.Dockerfile‎
Lines changed: 9 additions & 0 deletions b/‎docker/cnspec.Dockerfile‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docker/snyk.Dockerfile‎
Lines changed: 10 additions & 0 deletions b/‎docker/snyk.Dockerfile‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎flake.lock‎
Lines changed: 3 additions & 3 deletions b/‎flake.lock‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎flake.nix‎
Lines changed: 11 additions & 4 deletions b/‎flake.nix‎
Lines changed: 11 additions & 4 deletions
@@ -30,10 +30,28 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build Docker image
+      - name: Build & Push Vanilla Docker image
         run: |
-          docker build -t ghcr.io/${{ steps.repo.outputs.repo }}:${GITHUB_REF_NAME} .
+          docker build \
+            -f docker/Dockerfile \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:${GITHUB_REF_NAME} \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:latest \
+            .
 
-      - name: Push Docker image
+          docker push ghcr.io/${{ steps.repo.outputs.repo }} --all-tags
+
+      - name: Build & Push Scanner specific Docker image
         run: |
-          docker push ghcr.io/${{ steps.repo.outputs.repo }}:${GITHUB_REF_NAME}
+          docker build \
+            -f docker/cnspec.Dockerfile \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:${GITHUB_REF_NAME}-cnspec \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:latest-cnspec \
+            .
+
+          docker build \
+            -f docker/snyk.Dockerfile \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:${GITHUB_REF_NAME}-snyk \
+            -t ghcr.io/${{ steps.repo.outputs.repo }}:latest-snyk \
+            .
+
+          docker push ghcr.io/${{ steps.repo.outputs.repo }} --all-tags
@@ -2,15 +2,15 @@
 repos:
   # overall file checks
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
     hooks:
       - id: check-yaml
         args:
           - --allow-multiple-documents
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: check-added-large-files
-      - id: check-byte-order-marker
+      - id: fix-byte-order-marker
       - id: check-executables-have-shebangs
       - id: check-json
       - id: check-merge-conflict
@@ -26,10 +26,12 @@ repos:
         exclude: |
           (?x)(
               ^creds/|
+              ^docs/|
               ^README.md
           )
       - id: name-tests-test
-        args: [--pytest-test-first]
+        args: [ --pytest-test-first ]
+
   # commit-message & author
   # https://jorisroovers.com/gitlint/
   - repo: https://github.com/jorisroovers/gitlint
@@ -44,32 +46,28 @@ repos:
           - -cgeneral.staged=true
           - -ctitle-max-length.line-length=80
           - '-ctitle-match-regex.regex=^(feat|fix|try|maintain)!?(\(.*\))?:.+|^Merge branch.*'
-          - "-cauthor-valid-email.regex=[^@]+@fullstacks.eu"
           - --msg-filename
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.4
+    rev: v0.14.4
     hooks:
       - id: ruff
-        args: [--fix]
+        args: [ --fix ]
       - id: ruff-format
 
-  - repo: local
+  # uv: Ensure lockfile consistency
+  - repo: https://github.com/astral-sh/uv-pre-commit
+    # uv version.
+    rev: 0.9.8
     hooks:
-      - id: pytest
-        name: pytest
-        entry: .venv/bin/pytest
-        language: script
-        types: [ python ]
-        pass_filenames: false
-        always_run: true
+      - id: uv-lock
 
   - repo: local
     hooks:
-      - id: pylint
-        name: pylint
-        entry: .venv/bin/pylint src/
-        language: script
+      - id: pytest
+        name: Run Pytest - 'uv run pytest'
+        entry: uv run pytest
+        language: system
         types: [ python ]
         pass_filenames: false
         always_run: true
@@ -29,24 +29,24 @@ We aim to foster an inclusive and welcoming community.
 
 ### Prerequisites
 
-- Python 3.10 or higher
+- Python 3.12 or higher
 - Docker (for testing container functionality)
 - Git
+- [uv](https://github.com/astral-sh/uv) - A fast Python package installer and resolver
+
 
 ### Setting Up Your Environment
 
 1. Create a virtual environment:
 
 ``` bash
-   python -m venv .venv
-   source .venv/bin/activate
+   uv venv
 ```
 
 1. Install development dependencies:
 
 ``` bash
-   pip install -r requirements.txt
-   pip install -r requirements-dev.txt
+   uv sync --frozen
 ```
 
 ## Coding Standards
 
@@ -0,0 +1,37 @@
+ARG BASE_IMAGE_REGISTRY="library"
+ARG BASE_IMAGE_REPOSITORY="python"
+ARG BASE_IMAGE_TAG="3.12-alpine3.22"
+FROM ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_REPOSITORY}:${BASE_IMAGE_TAG}
+
+ARG APP_COMMIT_SHA=""
+ARG APP_VERSION=""
+ENV APP_COMMIT_SHA=$APP_COMMIT_SHA
+ENV APP_VERSION=$APP_VERSION
+
+# install uv
+COPY --from=docker.io/astral/uv@sha256:e4644cb5bd56fdc2c5ea3ee0525d9d21eed1603bccd6a21f887a938be7e85be1 /uv /uvx /bin/
+
+# Install packages and CNSpec
+RUN apk update && \
+    apk add --no-cache \
+    git
+
+# Create a non-root user and group
+RUN addgroup -S airgapper && adduser -S airgapper -G airgapper
+
+USER airgapper
+
+# Set working directory
+WORKDIR /home/airgapper
+
+# Copy requirements first to leverage Docker cache
+COPY pyproject.toml uv.lock ./
+
+# Install dependencies
+RUN uv sync --frozen # --no-dev
+
+# Copy all local packages and files
+COPY src/ .
+
+# Specify the command to run the app
+ENTRYPOINT ["uv", "run", "python", "main.py"]
@@ -0,0 +1,9 @@
+ARG CNSPEC_VERSION="12.0.0"
+ARG BASE_IMAGE_REGISTRY="ghcr.io"
+ARG BASE_IMAGE_REPOSITORY="fullstacks-gmbh/universal-airgapper"
+ARG BASE_IMAGE_TAG="latest"
+FROM mondoo/cnspec:${CNSPEC_VERSION}-rootless AS cnspec
+
+FROM ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_REPOSITORY}:${BASE_IMAGE_TAG}
+
+COPY --from=cnspec /usr/local/bin/cnspec /usr/local/bin/cnspec
@@ -0,0 +1,10 @@
+# snyk/snyk:alpine as of 9/15/2025
+ARG SNYK_VERSION="sha256:169b3545c8305d311d9756e3b60ce16de7ce35c92d90273def868c79f7a62fad"
+ARG BASE_IMAGE_REGISTRY="ghcr.io"
+ARG BASE_IMAGE_REPOSITORY="fullstacks-gmbh/universal-airgapper"
+ARG BASE_IMAGE_TAG="latest"
+FROM snyk/snyk@${SNYK_VERSION} AS snyk
+
+FROM ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_REPOSITORY}:${BASE_IMAGE_TAG}
+
+COPY --from=snyk /usr/local/bin/snyk /usr/local/bin/snyk
@@ -1,16 +1,23 @@
 {
-  description = "Airgapper dev environment";
+  description = "FULLSTACKS Universal Airgapper Dev Env";
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils, ... }:
-    flake-utils.lib.eachDefaultSystem (system:
+  outputs =
+    {
+      nixpkgs,
+      flake-utils,
+      ...
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = import nixpkgs { inherit system; };
-      in {
+      in
+      {
         devShell = pkgs.mkShell {
           buildInputs = [
             pkgs.python312