Docker¶
ARGUS ships as a hardened multi-arch image based on Chainguard static —
distroless, minimal CVE surface, runs as non-root, signed + attested.
Pull¶
Or pin to a specific version:
Run a scan¶
Service principal¶
docker run --rm \
-e AZURE_CLIENT_ID=$AZURE_CLIENT_ID \
-e AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET \
-e AZURE_TENANT_ID=$AZURE_TENANT_ID \
-v "$(pwd)/argus-output":/out \
ghcr.io/vatsayanvivek/argus:latest \
scan --out /out
IaC-only scan (no Azure credentials required)¶
docker run --rm \
-v "$(pwd)":/iac:ro \
-v "$(pwd)/argus-output":/out \
ghcr.io/vatsayanvivek/argus:latest \
scan --iac-only --iac-path /iac --out /out
Verify the image¶
Every image is signed with cosign via GitHub OIDC, attested with SLSA build provenance, and shipped with a Syft-generated SPDX SBOM.
# Verify the signature
cosign verify ghcr.io/vatsayanvivek/argus:latest \
--certificate-identity-regexp "https://github.com/vatsayanvivek/argus/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
# Download the SBOM
cosign download sbom ghcr.io/vatsayanvivek/argus:latest > argus-sbom.spdx.json
# Download attestations
cosign download attestation ghcr.io/vatsayanvivek/argus:latest
Multi-arch¶
Images are published for linux/amd64 and linux/arm64 via native runners
(no QEMU emulation). Docker picks the right one automatically.
What's NOT in the image¶
By design. Chainguard static is the base, which contains:
- ARGUS binary
- CA certificates
-
/etc/passwdentry fornonroot(uid 65532)
And nothing else. No shell. No package manager. No writable filesystem outside /tmp.
If you need to debug, use docker run --entrypoint /argus ... --help or inspect
locally — you cannot docker exec into a shell because there isn't one.
This is deliberate. Attackers who compromise the container have no tools to pivot with.
Image size¶
Roughly 20–25 MB (platform-dependent). That's the entire ARGUS binary + the minimal Chainguard base. For comparison, most Python-based scanners ship at 300 MB+.