Merge branch 'master' into main

Author: kalvinparker

.github/PULL_REQUEST_TEMPLATE/scan-checklist.md

@@ -0,0 +1,6 @@
+- [ ] CI build and Trivy scan passed
+- [ ] No CRITICAL or HIGH vulnerabilities reported in Trivy artifact (check `trivy-report.json`)
+- [ ] If vulnerabilities exist, describe mitigation plan in PR body (package bump, patch, or suppression rationale)
+- [ ] Tag security owner for review if findings are non-trivial
+
+Note: The workflow uploads `trivy-report.json` as an artifact on each run. Use that JSON for automated parsing or manual triage.

.github/workflows/docker-build-scan-publish.yml

@@ -41,10 +41,18 @@ jobs:
         uses: aquasecurity/trivy-action@v2
         with:
           image-ref: secure-gemini-cli:latest
-          format: table
+          format: json
+          output: trivy-report.json
           severity: CRITICAL,HIGH
           exit-code: '1'
 
+      - name: Upload Trivy JSON report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+
   release-publish:
     name: Release: build, scan and publish
     runs-on: ubuntu-latest
@@ -73,10 +81,18 @@ jobs:
         uses: aquasecurity/trivy-action@v2
         with:
           image-ref: secure-gemini-cli:latest
-          format: table
+          format: json
+          output: trivy-report.json
           severity: CRITICAL,HIGH
           exit-code: '1'
 
+      - name: Upload Trivy JSON report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+
       - name: Login to GHCR
         uses: docker/login-action@v2
         with:

.github/workflows/docker-build-scan.yml

@@ -31,6 +31,14 @@ jobs:
         uses: aquasecurity/trivy-action@v2
         with:
           image-ref: secure-gemini-cli:latest
-          format: table
+          format: json
+          output: trivy-report.json
           severity: CRITICAL,HIGH
           exit-code: '1'
+
+      - name: Upload Trivy JSON report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json

.github/workflows/release.yml

@@ -0,0 +1,66 @@
+# .github/workflows/release.yml
+
+name: Secure Release Publisher
+
+# This workflow is triggered ONLY when a new release is created in the GitHub UI.
+# This provides a manual gate for production releases.
+on:
+  release:
+    types: [created]
+
+# CRITICAL: Define the permissions for the job.
+# This enforces the Principle of Least Privilege. The GITHUB_TOKEN will have ONLY these permissions.
+permissions:
+  contents: read      # Required to check out the repository's code.
+  packages: write    # Required to publish packages (Docker images) to GHCR.
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    steps:
+      # 1. Check out the repository code
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # 2. Log in to the Container Registry
+      # --- CHOOSE ONE OF THE FOLLOWING TWO OPTIONS ---
+
+      # OPTION A: Log in to GitHub Container Registry (GHCR)
+      # This is the most secure and integrated method if using GHCR.
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }} # Use the auto-generated, scoped token
+
+      # OPTION B: Log in to Docker Hub
+      # Uncomment this step if you are using Docker Hub.
+      # - name: Log in to Docker Hub
+      #   uses: docker/login-action@v3
+      #   with:
+      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
+      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # 3. Generate metadata for the Docker image (tags, labels)
+      # This action creates tags based on the Git release version (e.g., v1.0.0)
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            # For GHCR, format is ghcr.io/OWNER/REPO_NAME
+            ghcr.io/${{ github.repository }}
+            # For Docker Hub, format is USERNAME/REPO_NAME
+            # kalvinparker/secure-gemini
+
+      # 4. Build and Push the Docker Image
+      # This step re-uses our approved, secure Dockerfile. It will run 'npm audit' as a security gate.
+      # If the audit fails, this step will fail, and the insecure image will not be published.
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -21,3 +21,4 @@ RUN npm audit
 
 # Set the final entrypoint for the CLI
 ENTRYPOINT ["npx", "gemini"]
+

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 kalvinparker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -14,9 +14,6 @@ This repository contains a minimal, security-conscious Docker image for running
 ```markdown
 # secure-gemini
 
-![CI](https://img.shields.io/badge/CI-GitHub%20Actions-blue)
-![Trivy](https://img.shields.io/badge/Trivy-Scan%20Saved-brightgreen)
-
 This repository contains a minimal, security-conscious Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate.
 
 ## What is included
@@ -60,7 +57,7 @@ If `npm audit` fails during the Docker build (it may, depending on transient vul
 RUN npm audit --audit-level=moderate || true
 ```
 
-We recommend addressing audit findings before publishing the image.
+I recommend addressing audit findings before publishing the image.
 
 ## Run