Self-built Docker images from source. Trust but verify.
Instead of blindly trusting Docker Hub images, this repo builds images directly from upstream source code. Every build is:
- Auditable - You can inspect the Dockerfile and see exactly what's included
- Reproducible - Pinned versions and build args tracked in git
- Signed - Cryptographically signed with build provenance attestations
- Secure - Follows security best practices (see below)
- Current - Renovate auto-merges upstream updates
| Image | Description | Upstream |
|---|---|---|
| actual-mcp | MCP server for Actual Budget | s-stefanov/actual-mcp |
| autoshift | Automatic SHiFT code redemption for Borderlands | Fabbi/autoshift |
| envsubst | Environment variable substitution with defaults | a8m/envsubst |
| flareproxy | HTTP proxy adapter for FlareSolverr | mimnix/FlareProxy |
| hass-mcp | Home Assistant MCP server for Claude/LLMs (stdio) | voska/hass-mcp |
| hass-mcp-sse | Home Assistant MCP server with SSE transport (k8s) | voska/hass-mcp |
| lgogdownloader | Unofficial GOG.com downloader | Sude-/lgogdownloader |
| mcp-proxy | Bridge stdio MCP servers to SSE/HTTP transport | sparfenyuk/mcp-proxy |
| pod-reaper | Rule-based Kubernetes pod cleanup controller | target/pod-reaper |
| redlib | Private Reddit frontend | redlib-org/redlib (PR #509) |
| tailscale-hosts-sync | Sync Tailscale devices to hosts file for DNS | Original |
All images follow these security standards:
All container images are signed using GitHub's attest-build-provenance action. This provides cryptographic proof that images were built by this repository's CI pipeline.
Verify with GitHub CLI:
gh attestation verify --repo sharkusmanch/containers \
oci://ghcr.io/sharkusmanch/containers/redlib:latestVerify with cosign:
cosign verify-attestation \
--type https://slsa.dev/provenance/v1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "^https://github.com/sharkusmanch/containers/.github/workflows/build.yml@refs/heads/main$" \
ghcr.io/sharkusmanch/containers/redlib:latest- Multi-stage builds - Build dependencies don't ship to runtime
- Pinned base images - Versions tracked, updated via Renovate
- Minimal final images - Alpine or distroless where possible
- No secrets in layers - Build args for config, not credentials
- Non-root user - Explicit UID/GID (10000:10000)
- No shell where possible - Reduces attack surface
- Health checks - Built-in liveness probes
- OCI labels - Source repo, commit SHA, build date (see below)
Recommended security context:
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALLAll images include OCI standard labels for traceability. These are recognized by container registries (GHCR, Docker Hub, Quay), security scanners, and tooling.
| Label | Purpose |
|---|---|
org.opencontainers.image.created |
Build timestamp |
org.opencontainers.image.revision |
Git commit SHA of this repo |
org.opencontainers.image.version |
Upstream version or commit |
org.opencontainers.image.source |
URL to this repo |
org.opencontainers.image.upstream |
URL to upstream source |
org.opencontainers.image.title |
Image name |
org.opencontainers.image.description |
Short description |
Inspect labels with:
docker inspect ghcr.io/sharkusmanch/containers/redlib:latest \
--format '{{json .Config.Labels}}' | jqThis repo:
- Renovate auto-merges base image updates and upstream version bumps
- Images pushed to
ghcr.io/sharkusmanch/containers/<name>:<tag> - Tags mirror upstream versions where possible, or use commit SHA for unmerged PRs
Your deployment:
- Pin to specific tags in your k8s manifests
- Use a separate Renovate config to control rollout
- Create
images/<name>/Dockerfile - Create
images/<name>/README.mddocumenting upstream source and any modifications - Add Renovate comments for version tracking
- Submit PR - workflow will build and push on merge
# Build a specific image
docker build -t myimage images/actual-mcp/
# Build with specific version
docker build --build-arg VERSION=v1.2.3 -t myimage images/actual-mcp/