mitre · alilleybrinker · Sep 19, 2024 · Sep 19, 2024
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -15,5 +15,5 @@ jobs:
       - uses: docker/setup-buildx-action@v3
       - uses: docker/build-push-action@v5
         with:
-          file: Containerfile
+          file: dist/Containerfile
           push: false
diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
@@ -42,7 +42,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: Containerfile
+          file: dist/Containerfile
           push: true
           platforms: "linux/amd64,linux/arm64"
           tags: mitre/hipcheck:latest,mitre/hipcheck:${{ steps.format-tag.outputs.replaced }}

diff --git a/Containerfile b/Containerfile
diff --git a/dist/Containerfile b/dist/Containerfile
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: Apache-2.0
+
+FROM node:bookworm-slim
+
+ARG HC_VERSION="3.6.3"
+
+WORKDIR /app
+
+RUN set -eux \
+    && apt-get update \
+    && apt-get install -y git curl \
+    && rm -rf /var/lib/apt/lists/* \
+    && adduser --disabled-password hc_user \
+    && chown -R hc_user /app \
+    && curl --proto '=https' --tlsv1.2 -LsSf https://github.com/mitre/hipcheck/releases/download/hipcheck-v${HC_VERSION}/hipcheck-installer.sh | sh
+
+USER hc_user
+COPY config/ config/
+ENV HC_CONFIG=./config
+ENTRYPOINT ["./hc"]
+CMD ["help"]
diff --git a/site/content/install/_index.md b/site/content/install/_index.md
@@ -179,7 +179,7 @@ download the repository contents from GitHub without the Git history.
 ```sh
 $ git clone https://github.com/mitre/hipcheck
 $ cd hipcheck
-$ docker build -f Containerfile .
+$ docker build -f dist/Containerfile .
 ```
 
 This will build the image, which you can then use normally.