Pin Alpine 3.23, single base for builder + runtime, add smoke test

- Both stages on alpine:3.23 (was python:3-alpine + alpine:latest).
  Major.minor pin gives security patches without breaking on rebase.
- fangfrisch installed in /opt/fangfrisch venv (PEP 668 blocks
  system pip on modern Alpine).
- Drop deprecated MAINTAINER instruction in favour of LABEL.
- test_smoke.sh: image present + version + sig count + EICAR.
  Validated end-to-end on amd64 Linux: ClamAV 1.4.4, 3.85M sigs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -1,20 +1,22 @@
-FROM python:3-alpine as builder
-RUN apk add -u --no-cache clamav clamav-dev freshclam bash clamav-libunrar 
-RUN pip install fangfrisch
-RUN mkdir -m 0770 -p /var/lib/fangfrisch
-RUN chgrp clamav /var/lib/fangfrisch
+FROM alpine:3.23 AS builder
+LABEL maintainer="tabledevil"
+RUN apk add --no-cache clamav clamav-libunrar freshclam python3 py3-pip bash
+# fangfrisch needs Python; PEP 668 on modern Alpine blocks system-pip, use venv.
+RUN python3 -m venv /opt/fangfrisch && /opt/fangfrisch/bin/pip install fangfrisch
+RUN mkdir -m 0770 -p /var/lib/fangfrisch && chgrp clamav /var/lib/fangfrisch
 ADD fangfrisch.conf /etc/fangfrisch.conf
 USER clamav
-RUN fangfrisch --conf /etc/fangfrisch.conf initdb
-RUN fangfrisch --conf /etc/fangfrisch.conf refresh
+RUN /opt/fangfrisch/bin/fangfrisch --conf /etc/fangfrisch.conf initdb
+RUN /opt/fangfrisch/bin/fangfrisch --conf /etc/fangfrisch.conf refresh
 RUN freshclam
 
 
-FROM alpine
+FROM alpine:3.23
 ARG PUID=1001
 ARG PGID=1001
-MAINTAINER tabledevil
-RUN apk add -u --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar
+LABEL maintainer="tabledevil"
+LABEL docker.cmd="docker run -it --rm -v /folder/to/scan:/data:ro --network=none tabledevil/clamav scan"
+RUN apk add --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar
 COPY --from=builder /var/lib/clamav /var/lib/clamav
 ADD clamd.conf /etc/clamav/clamd.conf
 ADD start.sh /start.sh

test_smoke.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Smoke test for the clamav scanner image: image present, version reports
+# engine + sig DB, EICAR is detected via clamdscan --multiscan.
+#
+# Usage: TAG=ls-clamav:test ./test_smoke.sh
+#        (defaults to tabledevil/clamav)
+
+set -u
+TAG="${TAG:-tabledevil/clamav}"
+TMP="$(mktemp -d)"
+trap 'rm -rf "$TMP"' EXIT
+
+pass=0; fail=0
+ok()  { echo "PASS  $1"; pass=$((pass+1)); }
+bad() { echo "FAIL  $1"; fail=$((fail+1)); }
+
+if docker image inspect "$TAG" >/dev/null 2>&1; then
+  ok "image $TAG present"
+else
+  bad "image $TAG not present"; exit 1
+fi
+
+out="$(docker run --rm "$TAG" version 2>&1 || true)"
+if echo "$out" | grep -qE "ClamAV [0-9]+\.[0-9]+"; then
+  ok "version reports ClamAV engine"
+else
+  bad "version did not report ClamAV engine"
+  echo "$out" | tail -10
+fi
+if echo "$out" | grep -qE "[0-9]+ Signatures loaded"; then
+  ok "sig DB loaded ($(echo "$out" | grep -oE '[0-9]+ Signatures loaded' | head -1))"
+else
+  bad "sig count not reported"
+fi
+
+mkdir -p "$TMP/data"
+printf '%s%s' \
+  'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-' \
+  'STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > "$TMP/data/eicar.com"
+
+out="$(docker run --rm -v "$TMP/data:/data:ro" "$TAG" scan 2>&1 || true)"
+if echo "$out" | grep -qiE "EICAR.*FOUND|Infected files: [1-9]"; then
+  ok "scan detects EICAR"
+else
+  bad "scan did not detect EICAR"
+  echo "$out" | tail -20
+fi
+
+echo
+echo "Summary: $pass pass, $fail fail"
+[ "$fail" -eq 0 ]