Skip to content

quenchworks/images

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

154 Commits
.github/workflows
.github/workflows
 
 
apps
apps
 
 
manifests
manifests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
catalog.yaml
catalog.yaml
 
 
renovate.json
renovate.json
 
 

Repository files navigation

Quenchworks images

The image factory. Builds hardened container images from source on Wolfi with melange and apko, scans them with a hard 0-CVE gate, signs them with cosign, and publishes to GHCR.

Part of Quenchworks. Browse the catalog at quenchworks.mkabumattar.com/images.

What ships here

29 images across databases, caches, search, message queues, coordination, and metrics. Every one:

  • is built from source (no Dockerfile, nothing inherited from another distro); where an upstream is infeasible to compile in CI (ClickHouse, ScyllaDB, CockroachDB, Dragonfly, MongoDB), we ship the project's own official binary and harden the base around it,
  • passes a hard 0 fixable CVE gate (Trivy, fail-on-fixable) before anything is published,
  • runs as nonroot (uid 1001) on a read-only root filesystem,
  • is multi-arch: a linux/amd64 + linux/arm64 index, signed and pinned by digest,
  • ships an SBOM and is cosign-signed (keyless OIDC).

Layout

catalog.yaml                 source of truth: app, version, source, license, tier, status
apps/<app>/melange.yaml      build the package from source
apps/<app>/apko.yaml         assemble the minimal nonroot image
apps/<app>/test.sh           smoke test the built image
.github/workflows/           per-app build, scan, sign, dispatch

How a build runs

  1. melange compiles the app from source into a signed APK.
  2. apko assembles a minimal, nonroot, multi-arch image and writes it to a local tar.
  3. Trivy scans that tar with --exit-code 1 --ignore-unfixed. A fixable CVE fails the build, and nothing is published.
  4. Only after the gate passes, apko publishes to ghcr.io/quenchworks/images/<app> as a multi-arch index.
  5. cosign signs the digest (keyless).
  6. A dispatch tells the charts repo to repin the matching chart to the new digest.

The build runs on change and once a day, so a clean scan stays true rather than aging out.

Verify an image

cosign verify ghcr.io/quenchworks/images/redis \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Add an app

Add a row to catalog.yaml, then create apps/<app>/ with a melange build, an apko config, and a test. Charts are authored separately in the charts repo, from each app's own upstream docs. See CONTRIBUTING.

A note on licensing

Most of the catalog is OSI-clean. Four datastores are source-available and carried with a loud license note in catalog.yaml and on the website, because they are not OSI-approved open source: MongoDB and Elasticsearch (SSPL-1.0), CockroachDB and Dragonfly (BSL-1.1). Each names the clean alternative we recommend instead (Valkey, OpenSearch, FerretDB + DocumentDB).

License

MIT for this repository's build configs and tooling. Each built image carries its upstream software's own license, recorded in catalog.yaml and the image labels.

About

The image factory: hardened, 0-CVE container images built from source on Wolfi (melange/apko), cosign-signed, multi-arch, pinned by digest.

quenchworks.mkabumattar.com

Topics

docker containers oci devsecops melange hardened sbom container-images supply-chain-security ghcr cosign sigstore apko wolfi zero-cve

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages