CI Integration
April 22, 2026 · View on GitHub
Beyond local development, kool can also run inside CI/CD pipelines. A pre-built Docker image is published to Docker Hub as kooldev/kool for exactly this purpose — it bundles the kool CLI together with docker, docker compose, git, and bash, pre-configured to talk to a Docker-in-Docker sidecar.
This image is intended for CI pipelines that need
koolalongside a Docker daemon. For local development, install the native binary as described in the Installation guide.
When to use the image
The kooldev/kool image is primarily used with GitLab CI, where the services: + docker:dind pattern pairs naturally with kool's requirement for a working docker and docker compose. It also works with GitHub Actions, Drone, Bitbucket Pipelines, and any other CI runner that supports linking a Docker daemon service container.
If your CI runner already has Docker available on the host (e.g. GitHub Actions' default ubuntu-latest runner), installing kool via curl | bash at the top of the job is often simpler than running it through the image.
What's in the image
koolCLI — built with Go 1.25, statically linkeddockerCLIdocker composeplugin (Compose V2)gitandbashENV DOCKER_HOST=tcp://docker:2375— defaults the Docker CLI to a sidecar service reachable at the hostnamedocker
Published tags track kool releases, e.g. kooldev/kool:3.2.0 pins to a specific release and kooldev/kool:3 tracks the current major line. Pin a specific version in CI for reproducibility.
GitLab CI example
test:
image: kooldev/kool:3
services:
- name: docker:dind
alias: docker
variables:
DOCKER_TLS_CERTDIR: ""
DOCKER_HOST: tcp://docker:2375
script:
- kool run test
The alias: docker is important — the kooldev/kool image defaults DOCKER_HOST to tcp://docker:2375, so the DinD sidecar must be reachable at the hostname docker.
GitHub Actions example
GitHub Actions runners already have Docker available, so you can usually skip the image and install kool natively:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install kool
run: curl -fsSL https://kool.dev/install | bash
- run: kool run test
If you prefer a consistent, pinned kool version via container:, the pattern below mirrors the GitLab setup:
jobs:
test:
runs-on: ubuntu-latest
container:
image: kooldev/kool:3
services:
docker:
image: docker:dind
options: --privileged
env:
DOCKER_TLS_CERTDIR: ""
env:
DOCKER_HOST: tcp://docker:2375
steps:
- uses: actions/checkout@v4
- run: kool run test
Known security caveat
The kooldev/kool image is built FROM docker:29-cli, which bundles docker-compose and docker-buildx CLI plugins as pre-built Go binaries that we inherit as-is. At any given time those plugins may have been compiled with a Go toolchain that has since received CVE advisories — for example a go1.25.8 build of the bundled compose plugin triggers CVE-2026-27143 until the upstream docker-library/docker image is rebuilt with a newer Go toolchain.
The advisory is in the Go standard library of Docker's own plugin binaries, not in kool. For security-sensitive pipelines, consider either:
- Installing kool as a native binary on the runner (
curl -fsSL https://kool.dev/install | bash) instead of using the image, which avoids the upstream plugin surface entirely, - Pinning a specific
kooldev/kool:VERSIONtag and re-scanning when you adopt a new version.
If you find a security issue in kool itself, please follow the Security instructions in the main README.