# 🛡️ Docker QA Toolbox

A specialized development environment for Docker image auditing, security scanning, and quality assurance.

## 🚀 Quick Start

```bash
cd output/toolbox-QADocker
./build.sh        # build the image with UID/GID matching your host
./run.sh up       # launch the toolbox-qadocker service in the background
docker exec -it tsysdevstack-toolboxstack-toolbox-qadocker zsh
```

Use `./run.sh down` to stop the container when you are finished.

## 🧰 Included Tools

### Security Scanning
- **Trivy** - Comprehensive vulnerability scanner for containers and code
- **ClamAV** - Antivirus scanner for file system analysis
- **Hadolint** - Dockerfile linter for best practices

### Docker Analysis
- **Dockerfilelint** - Node.js-based Dockerfile linter
- **Docker** - Docker CLI with access to host Docker daemon via socket
- **Docker Buildx** - Docker CLI plugin for extended build capabilities

### Development Tools
- **Git** - Version control system
- **Zsh** - Interactive shell with Oh My Zsh framework
- **Mise** - Runtime manager for language versions
- **Aqua** - CLI tool manager
- **YQ** - YAML/JSON processor
- **JQ** - JSON processor

## 📋 QA Workflows

### Security Scanning
```bash
# Scan a Docker image with Trivy
trivy image <your-image-name>

# Scan a Dockerfile with Hadolint
hadolint Dockerfile

# Scan a Dockerfile with dockerfilelint
dockerfilelint Dockerfile
```

### Image Analysis
```bash
# Analyze image layers and size
docker history <your-image-name>

# Extract image contents for analysis
docker save <your-image-name> -o image.tar
tar -xf image.tar
```

### Best Practices Validation
The toolbox includes tools to validate Docker best practices:
- Hadolint for Dockerfile best practices
- Trivy for security vulnerabilities
- Docker's own best practices recommendations

## ⚙️ Configuration

The toolbox is configured to:
- Run as a non-root user with host UID/GID mapping
- Access the host Docker daemon via socket mounting
- Include both Docker build and runtime analysis tools
- Follow security best practices (no sudo, minimal attack surface)

## 🔐 Security Features

- Non-root user execution with UID/GID mapping
- Sudo is removed from the final image
- Multi-stage build minimizing attack surface
- Regular security scanning capabilities

## 🤖 AI Agent
This toolbox is maintained by **ToolboxBot**, an AI agent focused on Docker QA tooling.

## 📄 License
See [LICENSE](../LICENSE) for full terms.