chainsaw/Dockerfile

FROM ubuntu:24.04 AS fetcher
LABEL maintainer="tabledevil"
ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
      curl ca-certificates git \
 && rm -rf /var/lib/apt/lists/*

# Pull the latest chainsaw release (Linux amd64) and the SigmaHQ rules
# repo at build time. No version pin on the engine — image stays current.
# (Plain grep instead of jq because release notes contain control chars
# that break jq's JSON parser.)
RUN set -eux; \
    cd /tmp; \
    url=$(curl -sL https://api.github.com/repos/WithSecureLabs/chainsaw/releases/latest \
            | grep -oE 'https://[^"]*chainsaw_x86_64-unknown-linux-gnu\.tar\.gz' \
            | head -1); \
    echo "downloading $url"; \
    curl -sL "$url" -o chainsaw.tar.gz; \
    mkdir -p /opt/chainsaw; \
    tar -xzf chainsaw.tar.gz -C /opt/chainsaw --strip-components=1; \
    rm chainsaw.tar.gz; \
    ls /opt/chainsaw

# WithSecure dropped the bundled sigma rules in v2 — clone fresh from
# SigmaHQ each build so we have current detections.
RUN git clone --depth=1 https://github.com/SigmaHQ/sigma /opt/sigma

# Chainsaw also ships its own mapping/rule files in chainsaw/{mappings,rules}
# inside the tarball — those are already at /opt/chainsaw.

FROM ubuntu:24.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
 && apt-get install -y --no-install-recommends bash ca-certificates \
 && rm -rf /var/lib/apt/lists/*

COPY --from=fetcher /opt/chainsaw /opt/chainsaw
COPY --from=fetcher /opt/sigma /opt/sigma

ENV PATH=/opt/chainsaw:$PATH
RUN mkdir -p /output && touch /output/notmounted && chmod +x /opt/chainsaw/chainsaw

ADD start.sh /root/start.sh
RUN chmod +x /root/start.sh
WORKDIR /data
CMD ["/bin/bash","/root/start.sh"]