# Copyright (c) StellaOps. All rights reserved. # Licensed under BUSL-1.1. # Ghidra Headless Analysis Server for BinaryIndex # # This image provides Ghidra headless analysis capabilities including: # - Ghidra Headless Analyzer (analyzeHeadless) # - ghidriff for automated binary diffing # - Version Tracking and BSim support # # Build: # docker build -f Dockerfile.headless -t stellaops/ghidra-headless:11.2 . # # Run: # docker run --rm -v /path/to/binaries:/binaries stellaops/ghidra-headless:11.2 \ # /projects GhidraProject -import /binaries/target.exe -analyze FROM eclipse-temurin:17-jdk-jammy ARG GHIDRA_VERSION=11.2 ARG GHIDRA_BUILD_DATE=20241105 ARG GHIDRA_SHA256 LABEL org.opencontainers.image.title="StellaOps Ghidra Headless" LABEL org.opencontainers.image.description="Ghidra headless analysis server with ghidriff for BinaryIndex" LABEL org.opencontainers.image.version="${GHIDRA_VERSION}" LABEL org.opencontainers.image.licenses="BUSL-1.1" LABEL org.opencontainers.image.source="https://github.com/stellaops/stellaops" LABEL org.opencontainers.image.vendor="StellaOps" # Install dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ python3 \ python3-pip \ python3-venv \ curl \ unzip \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* # Download and verify Ghidra # Note: Set GHIDRA_SHA256 build arg for production builds RUN curl -fsSL "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${GHIDRA_VERSION}_build/ghidra_${GHIDRA_VERSION}_PUBLIC_${GHIDRA_BUILD_DATE}.zip" \ -o /tmp/ghidra.zip \ && if [ -n "${GHIDRA_SHA256}" ]; then \ echo "${GHIDRA_SHA256} /tmp/ghidra.zip" | sha256sum -c -; \ fi \ && unzip -q /tmp/ghidra.zip -d /opt \ && rm /tmp/ghidra.zip \ && ln -s /opt/ghidra_${GHIDRA_VERSION}_PUBLIC /opt/ghidra \ && chmod +x /opt/ghidra/support/analyzeHeadless # Install ghidriff in isolated virtual environment RUN python3 -m venv /opt/venv \ && /opt/venv/bin/pip install --no-cache-dir --upgrade pip \ && /opt/venv/bin/pip install --no-cache-dir ghidriff # Set environment variables ENV GHIDRA_HOME=/opt/ghidra ENV GHIDRA_INSTALL_DIR=/opt/ghidra ENV JAVA_HOME=/opt/java/openjdk ENV PATH="${GHIDRA_HOME}/support:/opt/venv/bin:${PATH}" ENV MAXMEM=4G # Create working directories with proper permissions RUN mkdir -p /projects /scripts /output \ && chmod 755 /projects /scripts /output # Create non-root user for security RUN groupadd -r ghidra && useradd -r -g ghidra ghidra \ && chown -R ghidra:ghidra /projects /scripts /output WORKDIR /projects # Healthcheck - verify Ghidra is functional HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ CMD analyzeHeadless /tmp HealthCheck -help > /dev/null 2>&1 || exit 1 # Switch to non-root user USER ghidra # Default entrypoint is analyzeHeadless ENTRYPOINT ["analyzeHeadless"] CMD ["--help"]