Add GitHub Actions workflow and security improvements

- Add Docker publish workflow (triggers on version tags)
- Switch to Distroless base image for minimal attack surface
- Add --healthcheck flag for container health checks
- Inject version from git tag via ldflags

Author: RI-Kai

.github/workflows/docker-publish.yml

@@ -0,0 +1,61 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          # Remove 'v' prefix from tag (v1.0.11 -> 1.0.11)
+          VERSION=${GITHUB_REF_NAME#v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ steps.version.outputs.version }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -1,10 +1,13 @@
 # Build stage
-FROM golang:1.25-alpine AS builder
+FROM golang:1.23-alpine AS builder
 
 WORKDIR /build
 
+# Version is passed as build argument
+ARG VERSION=dev
+
 # Install build dependencies
-RUN apk add --no-cache git ca-certificates
+RUN apk add --no-cache git ca-certificates tzdata
 
 # Copy go mod files first for better caching
 COPY go.mod go.sum ./
@@ -13,52 +16,36 @@ RUN go mod download
 # Copy source code
 COPY . .
 
-# Build the binary
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o netflowmap ./cmd/netflowmap
+# Build the binary (static, stripped, with version injected)
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.version=${VERSION}" -o netflowmap ./cmd/netflowmap
 
-# Runtime stage
-FROM alpine:3.19
+# Runtime stage - Distroless for minimal attack surface
+FROM gcr.io/distroless/static-debian12:nonroot
 
 WORKDIR /app
 
-# Install runtime dependencies
-RUN apk add --no-cache ca-certificates tzdata
-
-# Create non-root user
-RUN adduser -D -u 1000 netflowmap
-
 # Copy binary from builder
 COPY --from=builder /build/netflowmap /app/netflowmap
 
 # Copy web assets
 COPY --from=builder /build/web /app/web
 
-# Copy example configs
-COPY --from=builder /build/configs /app/configs
-
-# Create data directory for GeoIP database
-RUN mkdir -p /app/data && chown -R netflowmap:netflowmap /app
-
-# Switch to non-root user
-USER netflowmap
+# Copy timezone data for proper time handling
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 
 # Expose ports
 # 8080 - HTTP Web UI
 # 2055 - NetFlow UDP
 EXPOSE 8080
 EXPOSE 2055/udp
 
-# Health check
+# Health check using built-in healthcheck command
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD wget -q --spider http://localhost:8080/api/health || exit 1
+    CMD ["/app/netflowmap", "--healthcheck"]
+
+# Run as non-root (distroless:nonroot runs as uid 65532)
+USER nonroot:nonroot
 
 # Run
 ENTRYPOINT ["/app/netflowmap"]
 CMD ["--config", "/app/config.yml"]
-
-
-
-
-
-
-

cmd/netflowmap/main.go

@@ -26,7 +26,8 @@ import (
 )
 
 var (
-	version    = "1.0.11"
+	// version is set via ldflags at build time: -ldflags="-X main.version=1.0.12"
+	version    = "dev"
 	configPath string
 )
 
@@ -35,13 +36,20 @@ func main() {
 	flag.StringVar(&configPath, "config", "config.yml", "Path to configuration file")
 	showVersion := flag.Bool("version", false, "Show version and exit")
 	hashPassword := flag.Bool("hash-password", false, "Generate a password hash for users.yml")
+	healthCheck := flag.Bool("healthcheck", false, "Run health check and exit")
 	flag.Parse()
 
 	if *showVersion {
 		fmt.Printf("NetFlowMap v%s\n", version)
 		os.Exit(0)
 	}
 
+	// Handle healthcheck command (for Docker HEALTHCHECK)
+	if *healthCheck {
+		runHealthCheck()
+		return
+	}
+
 	// Handle hash-password command
 	if *hashPassword {
 		runHashPassword()
@@ -363,6 +371,23 @@ func logStats(store *flowstore.Store, fgManager *fortigate.Manager, collector *n
 	)
 }
 
+// runHealthCheck performs a health check against the local server.
+func runHealthCheck() {
+	resp, err := http.Get("http://localhost:8080/api/health")
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Health check failed: %v\n", err)
+		os.Exit(1)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		fmt.Fprintf(os.Stderr, "Health check failed: status %d\n", resp.StatusCode)
+		os.Exit(1)
+	}
+
+	os.Exit(0)
+}
+
 // runHashPassword interactively generates a password hash.
 func runHashPassword() {
 	fmt.Println("Password Hash Generator")