# 🧰 TSYSDevStack QA Docker Toolbox

A minimal Docker image designed for auditing, verifying, and testing Docker images and container configurations.

---

## 🚀 Quick Start

1. **Build the toolbox**
   ```bash
   ./build.sh
   ```
   
2. **Start the toolbox**
   ```bash
   ./run.sh up
   ```
   
3. **Access the toolbox**
   ```bash
   docker exec -it tsysdevstack-toolboxstack-qadocker bash
   ```
   
4. **Stop the toolbox**
   ```bash
   ./run.sh down
   ```

---

## 🧱 Architecture

- **Base Image**: Ubuntu 24.04 (minimal base without extending from toolbox-base)
- **User**: Runs as non-root `toolbox` user (UID/GID mapped to host)
- **Workspace**: Mounts current directory to `/workspace` (read/write)
- **Tools**: Contains essential Docker auditing and security tools

---

## 🛠️ Included Tools

### Docker Auditing & Security
- **Docker CLI**: For Docker operations and container management
- **Hadolint**: Dockerfile linter for best practices and common errors
- **Dive**: Tool to explore Docker image layers and discover inefficiencies
- **Trivy**: Comprehensive security scanner for vulnerabilities
- **Grype**: Vulnerability scanner for container images
- **Docker Bench Security**: Tool for running CIS Docker benchmark tests

### Version Control & General Tools
- **Git**: For version control operations
- **Lazygit**: Terminal UI for Git
- **Curl/Wget**: For downloading resources
- **Yq**: Command-line YAML processor
- **Xh**: Friendly and fast tool for HTTP requests

---

## 📂 Project Layout

| Path | Purpose |
|------|---------|
| `Dockerfile` | Defines the minimal QA Docker image with auditing tools |
| `docker-compose.yml` | Service configuration for the QA toolbox |
| `build.sh` | Wrapper around `docker build` with host UID/GID mapping |
| `run.sh` | Helper to bring the service up/down |
| `aqua.yaml` | Configuration for aqua-managed CLI tools |
| `SEED` | Defines the toolbox's purpose and goals |
| `PROMPT` | LLM onboarding prompt for future contributors |

---

## 🤝 Collaboration Notes

- This is the ONLY image that does NOT extend from `toolbox-base` (used for bootstrap purposes)
- Designed for use by AI CLI agents when creating and verifying container images
- Contains tools for auditing Docker images (hadolint, dive, etc.)
- Meant to be rebuilt quickly and be easy to extend
- Follows best security practices for minimal attack surface