# Batteries-included Obligo image: ships every external scanner tool
# the codebase/docker scanners can use, so `docker run` works against any
# project without installing pip-licenses/license-checker/syft on the host.
#
#   docker build -t obligo .
#   docker run --rm -v "$PWD:/scan" obligo scan codebase /scan -c /scan/context.yaml
#
# Docker-image scanning from inside the container needs the host daemon:
#   docker run --rm -v /var/run/docker.sock:/var/run/docker.sock obligo scan docker <image>
FROM python:3.12-slim

# nodejs+npm for license-checker (npm scans); curl/ca-certs for syft install.
RUN apt-get update \
    && apt-get install -y --no-install-recommends nodejs npm curl ca-certificates \
    && rm -rf /var/lib/apt/lists/* \
    && npm install -g license-checker \
    && curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

RUN pip install --no-cache-dir pip-licenses

COPY . /src
RUN pip install --no-cache-dir /src && rm -rf /src

ENTRYPOINT ["obligo"]
CMD ["--help"]
