Docker (sdkr)
The sdkr subcommand group wraps Docker operations for building, scanning, tagging, and pushing container images to multiple registries.
Synopsis
Commands
| Command | Description |
|---|---|
build |
Build a Docker image |
scan |
Scan an image for security vulnerabilities |
tag |
Tag a local image |
remove |
Remove a local image |
push |
Push to a registry (see subcommands) |
push aws |
Push to AWS ECR |
push az |
Push to Azure ACR |
push gcp |
Push to Google Container Registry / Artifact Registry |
push hub |
Push to Docker Hub |
provision-acr |
Build and push to Azure ACR |
provision-ecr |
Build and push to AWS ECR |
provision-gcp |
Build and push to GCP GCR / Artifact Registry |
provision-hub |
Build and push to Docker Hub |
provision-ghcr |
Build and push to GitHub Container Registry |
init |
Generate Docker-focused smurf.yaml |
Each provision-* command builds then pushes (it does not scan). When run on a TTY it prompts Proceed with push? [y/N] before pushing; pass --yes to skip the prompt, for example in CI.
build
Build a Docker image from a Dockerfile.
Flags:
| Flag | Description |
|---|---|
--context |
Build context directory |
-f, --file |
Path to Dockerfile, relative to the context directory |
--no-cache |
Disable build cache |
--target |
Multi-stage build target |
--platform |
Target platform (e.g. linux/amd64) |
--build-arg |
Build-time variables (KEY=VALUE) |
--buildkit |
Enable BuildKit for advanced Dockerfile features |
--timeout |
Build timeout in seconds (default 1500) |
Examples:
smurf sdkr build my-app:v1.1.9
smurf sdkr build --dockerfile=./docker/Dockerfile --no-cache my-app:latest
smurf sdkr build # reads imageName from smurf.yaml
scan
Analyze a Docker image for known vulnerabilities before deployment.
tag
Tag a local Docker image.
remove
Delete a local Docker image.
push
Push images to cloud registries. Each registry has its own subcommand:
smurf sdkr push aws <ECR_URL>
smurf sdkr push az <ACR_URL>
smurf sdkr push gcp <GCR_URL>
smurf sdkr push hub <IMAGE>
Provision commands
Provision commands combine build with push in a single step (no scan step). Each one prompts Proceed with push? [y/N] before pushing when run on a TTY; pass --yes to skip the prompt.
provision-ecr
Requires AWS credentials via environment variables or smurf.yaml.
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=us-east-1
smurf sdkr provision-ecr 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.1.9
provision-acr
Requires Azure credentials (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) or config fields.
provision-gcp
Supports gcr.io/ and *-docker.pkg.dev/ registries.
provision-hub
Build and push to Docker Hub.
provision-ghcr
Build and push to GitHub Container Registry.
Supported registries
| Registry | Push command | Provision command |
|---|---|---|
| AWS ECR | push aws |
provision-ecr |
| Azure ACR | push az |
provision-acr |
| Google GCR / Artifact Registry | push gcp |
provision-gcp |
| Docker Hub | push hub |
provision-hub |
| GitHub Container Registry | — | provision-ghcr |
Using smurf.yaml
Generate a Docker config:
Then run provision without arguments:
GitHub Actions example
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Setup Smurf
uses: clouddrove/[email protected]
with:
version: v1.1.9
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Build and push to ECR
run: smurf sdkr provision-ecr
See Configuration for the full smurf.yaml reference.