Skip to main content

⬅️ Back to Project Overview

Docker & Chainguard

A comprehensive guide to containerization and secure image practices for ShieldCraft AI. This document is standardized for Docusaurus display and clarity, and aligns with MLOps and cloud-native best practices.

Overview

ShieldCraft AI uses a modern, multi-stage Docker build process for all core services (main, api, ingestion), leveraging Chainguard Python images for minimal attack surface and zero-known CVEs. This ensures secure, reproducible, and environment-specific containers for development, staging, and production. All images are built and published using GitHub Actions CI/CD pipelines, with automated vulnerability scanning via Trivy and Dependabot.

Build Stages & Process

  • Base Image: Start from Chainguard Python for security and compliance.
  • Dependency Install: Use Poetry for Python dependency management, ensuring reproducible builds.
  • Source Copy: Copy only required source files and assets to minimize image size and attack surface.
  • Build/Compile: Compile assets, run tests (pytest), and validate environment.
  • Final Image: Use multi-stage builds to produce a minimal, production-ready image.
  • Tagging & Publishing: Tag images by environment (dev, staging, prod) and publish to Amazon ECR or Docker Hub.

Orchestration & CI

  • Local Development: Use Docker Compose for multi-service orchestration and local testing.
  • Cloud Deployment: Deploy containers to Amazon ECS or EKS for scalable, managed orchestration.
  • CI/CD: Automate builds, tests, and deployments with GitHub Actions. Integrate security scans and image signing for supply chain integrity.

Security & Best Practices

  • Use minimal base images (Chainguard) to reduce vulnerabilities.
  • Scan images for CVEs with Trivy and Dependabot.
  • Store secrets securely using AWS Secrets Manager and avoid hardcoding credentials.
  • Enable image signing and provenance tracking for compliance.
  • Regularly update dependencies and base images to patch vulnerabilities.
  • Use IAM roles for least-privilege access in cloud deployments.

Quick Reference

Further Reading