Quenchworks is an independent catalog of hardened container images and clean-room Helm charts for the infrastructure you actually run: databases, caches, search, message queues, and coordination.
28 datastores ship end to end today, every image paired with a matching chart, across relational, document, wide-column, key-value, search, time-series, analytical, graph, messaging, and coordination. Browse them at quenchworks.mkabumattar.com/charts.
Every image is built from source on Wolfi with melange and apko. No Dockerfiles, and nothing inherited from another distro. Each one:
- passes a hard 0 fixable CVE gate (Trivy, fail-on-fixable) before it can publish,
- runs as nonroot on a read-only root filesystem,
- is multi-arch (linux/amd64 + linux/arm64),
- ships an SBOM and is signed with cosign (keyless),
- and is rebuilt daily, so "0 CVEs" stays true tomorrow and not just on release day.
Every chart pins its image strictly by sha256 digest (a tag-only reference is refused on purpose),
shares one hardened security baseline through the quench-common library chart, is cosign-signed,
and is listed on ArtifactHub as a verified publisher with a Values schema.
Quench is the metallurgy step that hardens hot metal by cooling it fast. That is the idea.
The free, hardened images many teams relied on moved behind a paywall and into a legacy registry. Quenchworks rebuilds that in the open, from source, and for free: a drop-in hardened path off the Bitnami catalog, kept honest with a daily rebuild and public provenance you can check yourself.
| Repo | What it is |
|---|---|
| images | The image factory: melange + apko builds, the 0-CVE gate, cosign signing, GHCR publish. |
| charts | Clean-room Helm charts, each pinned to a signed image digest and published as an OCI artifact. |
| common | quench-common, the shared library chart: hardened security contexts and the digest-only image resolver. |
cosign verify ghcr.io/quenchworks/images/postgresql \
--certificate-identity-regexp 'https://github.com/quenchworks/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.comWe lead with the truly-open option in every category. A few source-available datastores (MongoDB and Elasticsearch under SSPL, CockroachDB and Dragonfly under BSL) are carried with a loud license note, because they are not OSI-approved open source. Where a clean fork already covers the slot we say so plainly: Valkey for Redis, OpenSearch for Elasticsearch, FerretDB and DocumentDB for MongoDB.
MIT. Built independently, and not affiliated with any upstream distribution or vendor.
quenchworks.mkabumattar.com · made by @mkabumattar