kool-dev
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/docker-description.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker-description.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/golangci-lint.yml‎
Lines changed: 5 additions & 6 deletions b/‎.github/workflows/golangci-lint.yml‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎.github/workflows/release-drafter.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release-drafter.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scan.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/scan.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/test.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.grype.yaml‎
Lines changed: 18 additions & 0 deletions b/‎.grype.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 0 deletions b/‎README.md‎
Lines changed: 6 additions & 0 deletions
@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3
@@ -16,7 +16,7 @@ jobs:
 
       - name: Sync Docker Hub Description
         if: github.ref == 'refs/heads/main' && github.repository == 'kool-dev/kool'
-        uses: peter-evans/dockerhub-description@v2
+        uses: peter-evans/dockerhub-description@v4
         env:
           DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
           DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
 
@@ -11,7 +11,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@master
+      uses: actions/checkout@v4
 
     - uses: olegtarasov/get-tag@v2.1
       id: tagName
 
@@ -11,14 +11,13 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      # ref: https://github.com/golangci/golangci-lint-action/issues/442#issuecomment-1203786890
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
           cache-dependency-path: go.sum
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.1
       - name: Run golangci-lint
-        run: golangci-lint run --version --verbose --out-format=github-actions
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: v2.11.4
@@ -20,6 +20,6 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -12,13 +12,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@master
+      uses: actions/checkout@v4
 
     - name: Build image
       run: docker build --pull -t kooldev/kool:4scan .
 
     - name: Scan image
-      uses: anchore/scan-action@v2
+      uses: anchore/scan-action@v6
       with:
         image: "kooldev/kool:4scan"
         fail-build: true
 
@@ -8,12 +8,12 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.25.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
     - name: Checkout code
 
@@ -0,0 +1,18 @@
+# Grype config for the kooldev/kool Docker image scan (.github/workflows/scan.yml).
+#
+# The ignore list below is reserved for CVEs we inherit from upstream images
+# and cannot fix ourselves — each entry must link to the upstream tracker and
+# be revisited (and ideally removed) when upstream rebuilds.
+#
+# See docs/01-Getting-Started/5-CI-Integration.md#known-security-caveat for the
+# user-facing context.
+
+ignore:
+  # Inherited from docker:29-cli (Docker 29.4.1). The bundled
+  # /usr/local/libexec/docker/cli-plugins/{docker-compose,docker-buildx}
+  # are Go binaries built with go1.25.8; CVE-2026-27143 is fixed in go1.25.9.
+  # Will clear automatically when docker-library/docker rebuilds the 29-cli
+  # image with a newer Go toolchain. Tracked upstream:
+  #   https://github.com/docker-library/docker
+  # Remove this entry once `grype kooldev/kool:<tag>` no longer reports it.
+  - vulnerability: CVE-2026-27143
@@ -1,4 +1,4 @@
-FROM golang:1.21 AS build
+FROM golang:1.25 AS build
 
 ARG BUILD_VERSION=0.0.0-auto
 
@@ -11,7 +11,7 @@ RUN go build -a \
 	-ldflags '-X kool-dev/kool/commands.version='$BUILD_VERSION' -extldflags "-static"' \
 	-o kool
 
-FROM docker:27-cli
+FROM docker:29-cli
 
 ENV DOCKER_HOST=tcp://docker:2375
 
 
@@ -39,6 +39,10 @@ curl -fsSL https://kool.dev/install | bash
 
 You must run `kool` on Windows via [WSL - Windows Subsystem for Linux](https://learn.microsoft.com/en-us/windows/wsl/install) - once you have a WSL environment properly set up, make sure you have [Docker available on it](https://docs.docker.com/desktop/wsl/), then you can install the CLI as you would in any Linux or MacOS (see above).
 
+### In CI pipelines
+
+For CI/CD use cases — most commonly **GitLab CI** with a `docker:dind` service — we publish a pre-built image at [**kooldev/kool**](https://hub.docker.com/r/kooldev/kool) that bundles `kool` together with `docker`, `docker compose`, `git`, and `bash`. See the [CI Integration guide](docs/01-Getting-Started/5-CI-Integration.md) for the DinD sidecar pattern and example `.gitlab-ci.yml` / GitHub Actions configs, plus a [known security caveat](docs/01-Getting-Started/5-CI-Integration.md#known-security-caveat) about CVEs inherited from the upstream `docker:X-cli` base image.
+
 ## Getting Started
 
 It's really easy to get started with `kool`. Check out our [Getting Started documentation for a generic PHP web app](https://kool.dev/docs/getting-started/starting-new-project).
@@ -84,6 +88,8 @@ Our work is organized according to a loosely defined but clear roadmap. Check ou
 
 If you find a security issue, please let us know right away, before making it public, by creating a GitHub issue. We'll take action as soon as possible. You can email questions and concerns to `contact@kool.dev`.
 
+For known CVEs inherited by the `kooldev/kool` Docker image from its upstream `docker:X-cli` base, see the [known security caveat](docs/01-Getting-Started/5-CI-Integration.md#known-security-caveat) in the CI Integration guide. These affect only users running the published Docker image in CI pipelines — the native **kool** binary installed via `curl | bash` is unaffected.
+
 ## License
 
 The MIT License (MIT). Please see [License File](LICENSE.md) for more information.