Skip to main content
hexr push takes the .hexr/ artifacts generated by hexr build and turns them into a production-ready container image. It detects what build infrastructure you have available — Docker Build Cloud, local buildx, or Google Cloud Build for Hexr Cloud users — prompts you to choose a strategy, builds for multiple platforms, runs a vulnerability scan, and pushes the signed image to your registry. You run this command from the same directory where you ran hexr build.

Usage

hexr push [options]
Run hexr push from a directory that contains a .hexr/ folder generated by hexr build.

Interactive flow

hexr push detects available build strategies and prompts you to select one: 
$ hexr push

Detected build strategies:
  1. Docker Build Cloud (cloud-sugiv-hexr) [RECOMMENDED]
  2. Local buildx (linux/amd64, linux/arm64)
  3. Basic Docker (linux/arm64 only)
  4. CI/CD (GitHub Actions / GitLab CI)

Select strategy [1]: 1

Building for: linux/amd64, linux/arm64
Image: us-central1-docker.pkg.dev/hexr-cloud-prod/hexr-images/acme-research-analyst:v1.0.0

Step 1/6: Building container...
Step 2/6: Multi-platform manifest...
Step 3/6: Vulnerability scan...

┌─────────────────────────────────────┐
 Vulnerability Scan Results
├──────────┬──────────────────────────┤
 Critical 0
 High 0
 Medium 2 (known, no fix yet)    │
 Low 5
└──────────┴──────────────────────────┘

Step 4/6: Pushing to registry...
Step 5/6: Verifying digest...
Step 6/6: Updating manifest...

 Image pushed successfully
  Digest: sha256:abc123...
  Platforms: linux/amd64, linux/arm64

Build strategies

StrategyDescriptionPlatforms
Docker Build CloudRemote build in Docker’s cloudamd64 + arm64
Local buildxMulti-platform build on your machineamd64 + arm64
Basic DockerStandard docker buildLocal arch only
CI/CDGenerates GitHub Actions / GitLab CI configamd64 + arm64

Vulnerability scanning

hexr push runs a vulnerability scan on the image before pushing. Four scan levels are available:
LevelBehavior
noneSkip scanning entirely
basicScan for critical and high vulnerabilities only
standardScan all severities, fail on critical
strictScan all severities, fail on high or above

Cloud build

For Hexr Cloud users, --cloud offloads the entire build to Google Cloud Build — no local Docker installation required: 
$ hexr push --cloud

Submitting to Google Cloud Build...
  Project: hexr-cloud-prod
  Registry: us-central1-docker.pkg.dev/hexr-cloud-prod/hexr-images
  
Building... (this takes 1-2 minutes)
 Build completed
 Image: acme-research-analyst:v1.0.0
hexr push --cloud requires an active Hexr Cloud session. Run hexr login --key <api_key> first if you haven’t already.