save progress

devops/docker/ghidra/Dockerfile.headless

@@ -0,0 +1,84 @@
+# Copyright (c) StellaOps. All rights reserved.
+# Licensed under AGPL-3.0-or-later.
+
+# Ghidra Headless Analysis Server for BinaryIndex
+#
+# This image provides Ghidra headless analysis capabilities including:
+# - Ghidra Headless Analyzer (analyzeHeadless)
+# - ghidriff for automated binary diffing
+# - Version Tracking and BSim support
+#
+# Build:
+#   docker build -f Dockerfile.headless -t stellaops/ghidra-headless:11.2 .
+#
+# Run:
+#   docker run --rm -v /path/to/binaries:/binaries stellaops/ghidra-headless:11.2 \
+#     /projects GhidraProject -import /binaries/target.exe -analyze
+
+FROM eclipse-temurin:17-jdk-jammy
+
+ARG GHIDRA_VERSION=11.2
+ARG GHIDRA_BUILD_DATE=20241105
+ARG GHIDRA_SHA256
+
+LABEL org.opencontainers.image.title="StellaOps Ghidra Headless"
+LABEL org.opencontainers.image.description="Ghidra headless analysis server with ghidriff for BinaryIndex"
+LABEL org.opencontainers.image.version="${GHIDRA_VERSION}"
+LABEL org.opencontainers.image.licenses="AGPL-3.0-or-later"
+LABEL org.opencontainers.image.source="https://github.com/stellaops/stellaops"
+LABEL org.opencontainers.image.vendor="StellaOps"
+
+# Install dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 \
+    python3-pip \
+    python3-venv \
+    curl \
+    unzip \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download and verify Ghidra
+# Note: Set GHIDRA_SHA256 build arg for production builds
+RUN curl -fsSL "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${GHIDRA_VERSION}_build/ghidra_${GHIDRA_VERSION}_PUBLIC_${GHIDRA_BUILD_DATE}.zip" \
+    -o /tmp/ghidra.zip \
+    && if [ -n "${GHIDRA_SHA256}" ]; then \
+        echo "${GHIDRA_SHA256}  /tmp/ghidra.zip" | sha256sum -c -; \
+    fi \
+    && unzip -q /tmp/ghidra.zip -d /opt \
+    && rm /tmp/ghidra.zip \
+    && ln -s /opt/ghidra_${GHIDRA_VERSION}_PUBLIC /opt/ghidra \
+    && chmod +x /opt/ghidra/support/analyzeHeadless
+
+# Install ghidriff in isolated virtual environment
+RUN python3 -m venv /opt/venv \
+    && /opt/venv/bin/pip install --no-cache-dir --upgrade pip \
+    && /opt/venv/bin/pip install --no-cache-dir ghidriff
+
+# Set environment variables
+ENV GHIDRA_HOME=/opt/ghidra
+ENV GHIDRA_INSTALL_DIR=/opt/ghidra
+ENV JAVA_HOME=/opt/java/openjdk
+ENV PATH="${GHIDRA_HOME}/support:/opt/venv/bin:${PATH}"
+ENV MAXMEM=4G
+
+# Create working directories with proper permissions
+RUN mkdir -p /projects /scripts /output \
+    && chmod 755 /projects /scripts /output
+
+# Create non-root user for security
+RUN groupadd -r ghidra && useradd -r -g ghidra ghidra \
+    && chown -R ghidra:ghidra /projects /scripts /output
+
+WORKDIR /projects
+
+# Healthcheck - verify Ghidra is functional
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD analyzeHeadless /tmp HealthCheck -help > /dev/null 2>&1 || exit 1
+
+# Switch to non-root user
+USER ghidra
+
+# Default entrypoint is analyzeHeadless
+ENTRYPOINT ["analyzeHeadless"]
+CMD ["--help"]