{"id":13807505,"url":"https://github.com/SongStitch/anchor","last_synced_at":"2025-05-14T00:31:40.880Z","repository":{"id":229728405,"uuid":"777493473","full_name":"SongStitch/anchor","owner":"SongStitch","description":"A tool for anchoring dependencies in dockerfiles","archived":false,"fork":false,"pushed_at":"2025-01-15T23:09:06.000Z","size":3411,"stargazers_count":14,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-02T14:02:26.926Z","etag":null,"topics":["command-line-tool","docker","dockerfile","dockerfile-pinning","pinning"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SongStitch.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-26T00:25:22.000Z","updated_at":"2025-02-01T22:51:04.000Z","dependencies_parsed_at":"2024-05-16T18:25:29.411Z","dependency_job_id":"9ffa37b4-b4ff-4fda-a715-72b20875046a","html_url":"https://github.com/SongStitch/anchor","commit_stats":null,"previous_names":["songstitch/docker-lock","songstitch/anchor"],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SongStitch%2Fanchor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SongStitch%2Fanchor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SongStitch%2Fanchor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SongStitch%2Fanchor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SongStitch","download_url":"https://codeload.github.com/SongStitch/anchor/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254046333,"owners_count":22005573,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line-tool","docker","dockerfile","dockerfile-pinning","pinning"],"created_at":"2024-08-04T01:01:26.176Z","updated_at":"2025-05-14T00:31:35.866Z","avatar_url":"https://github.com/SongStitch.png","language":"Go","funding_links":[],"categories":["Container Operations","Go"],"sub_categories":["Security"],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Anchor\n\n![Go Version](https://img.shields.io/github/go-mod/go-version/SongStitch/anchor?style=flat-square\u0026logo=go)\n![Docker](https://img.shields.io/badge/Docker-%232496ED.svg?logo=docker\u0026logoColor=white\u0026style=flat-square)\n[![CI status](https://img.shields.io/github/actions/workflow/status/songstitch/anchor/ci.yaml?branch=main\u0026style=flat-square\u0026logo=github)](https://github.com/SongStitch/anchor/actions?query=branch%3Amain)\n[![License](https://img.shields.io/github/license/SongStitch/anchor?style=flat-square)](/LICENSE)\n[![Release](https://img.shields.io/github/v/release/SongStitch/anchor?style=flat-square)](https://github.com/SongStitch/anchor/releases/latest)\n\nA tool for anchoring dependencies in dockerfiles\n\n\u003c/div\u003e\n\n\u003c!-- toc --\u003e\n\n- [Installation](#installation)\n  - [Via Homebrew](#via-homebrew)\n  - [Via Go Install](#via-go-install)\n  - [Via GitHub Releases](#via-github-releases)\n- [What is Anchor, and How Does it Work?](#what-is-anchor-and-how-does-it-work)\n  - [By Example](#by-example)\n- [Supported Operating Systems Package Managers](#supported-operating-systems-package-managers)\n- [Recommended Workflow](#recommended-workflow)\n- [Usage](#usage)\n  - [Default Usage](#default-usage)\n  - [Specifying Input and Output Files](#specifying-input-and-output-files)\n  - [Non-Interactive Mode (CI/CD Pipelines)](#non-interactive-mode-cicd-pipelines)\n  - [Printing the Output Instead of Writing to a File](#printing-the-output-instead-of-writing-to-a-file)\n  - [Ignoring Images and Packages](#ignoring-images-and-packages)\n- [License](#license)\n\n\u003c!-- tocstop --\u003e\n\n# Installation\n\n## Via Homebrew\n\n```shell\nbrew tap songstitch/anchor\nbrew install anchor\n```\n\n## Via Go Install\n\n```shell\ngo install github.com/songstitch/anchor@latest\n```\n\n## Via GitHub Releases\n\nDownload the latest binary from the [releases page](https://github.com/SongStitch/anchor/releases/latest)\n\n# What is Anchor, and How Does it Work?\n\nAnchor is a tool for anchoring Dockerfiles (not unlike pinning in lock files). It allows for reproducible builds by ensuring that the versions of dependencies are fixed. This is done in two ways\n\n- Replacing docker image tags referenced in a Dockerfile with the digest of the image\n- Replacing package versions in a Dockerfile with the version of the package. The parent digest image is used resolve the package versions to ensure that the package versions are consistent with the parent image.\n\nAnchor has been designed such that with the generated `Dockerfile`, no changes are needed on one's CI or build process.\n\nNote that `docker` must be installed and running on the system for `anchor` to work.\n\n## By Example\n\nGiven this `Dockerfile`\n\n```dockerfile\n# Comments are preserved\nFROM golang:1.23-bookworm as builder\n\nRUN apt-get update \\\n    \u0026\u0026 apt-get install --no-install-recommends -y curl wget \\\n    \u0026\u0026 rm -rf /var/lib/apt/lists/* \\\n    \u0026\u0026 apt-get clean\n```\n\nRunning `anchor` will generate the following `Dockerfile`\n\n```dockerfile\n# Comments are preserved\nFROM golang:1.23-bookworm@sha256:31dc846dd1bcca84d2fa231bcd16c09ff271bcc1a5ae2c48ff10f13b039688f3 as builder\n\nRUN apt-get update \\\n    \u0026\u0026 dpkg --add-architecture arm64 \u0026\u0026 apt-get update \u0026\u0026 \\\n    apt-get install --no-install-recommends -y curl:arm64=7.88.1-10+deb12u5 wget:arm64=1.21.3-1+b1 \\\n    \u0026\u0026 rm -rf /var/lib/apt/lists/* \\\n    \u0026\u0026 apt-get clean\n```\n\n# Supported Operating Systems Package Managers\n\nCurrently, Anchor only supports the `apt` package manager. Support for other OS package managers is planned.\n\n# Recommended Workflow\n\nThe recommended workflow for using `anchor` is as follows:\n\n- Name your Dockerfile `Dockerfile.template`\n- Run `anchor` in the same directory as the `Dockerfile.template`\n- Commit the generated `Dockerfile` to your repository\n- Use the generated `Dockerfile` in your CI/CD pipeline to ensure repoducible builds\n- Do not modify the generated `Dockerfile` manually\n- If you need to make changes to the Dockerfile, make them in the `Dockerfile.template` and run `anchor` again\n- If you need to update the dependencies, run `anchor` again\n\n# Usage\n\n## Default Usage\n\nRunning `anchor` without any flags will use the default input and output files. It looks for a file named `Dockerfile.template` in the current directory and outputs the result to `Dockerfile`.\n\n```shell\nanchor\n```\n\n## Specifying Input and Output Files\n\nYou can specify the input and output files using the `-i` and `-o` flags respectively.\n\n```shell\nanchor -i Dockerfile.template -o Dockerfile\n```\n\n## Non-Interactive Mode (CI/CD Pipelines)\n\nYou can use the `--yes` flag to automatically accept the changes made by `anchor`. This is useful for CI/CD pipelines.\n\n```shell\nanchor -i Dockerfile.template -o Dockerfile --yes\n```\n\nWithout the `--yes` flag, `anchor` will prompt you to accept any overwrites.\n\n## Printing the Output Instead of Writing to a File\n\nYou can print the output to stdout by using the `-p` flag.\n\n```shell\nanchor -i Dockerfile.template --dry-run\n```\n\n## Ignoring Images and Packages\n\nIt is possible to tell anchor to ignore images and packages in the Dockerfile statement by adding a `# anchor ignore` comment above the statement in the Dockerfile template. For example:\n\n```dockerfile\n# ignore this statement\n# anchor ignore\nFROM golang:1.23-bookworm as builder\n\n# ignore this statement\n# anchor ignore\nRUN apt-get update \\\n    \u0026\u0026 apt-get install --no-install-recommends -y curl wget \\\n    \u0026\u0026 rm -rf /var/lib/apt/lists/* \\\n    \u0026\u0026 apt-get clean\n\n# explicitly tell anchor to ignore this image\n# anchor ignore=golang:1.23-bookworm\nFROM golang:1.23-bookworm\n\n# explicitly tell anchor to ignore the curl package\n# anchor ignore=curl\nRUN apt-get update \\\n    \u0026\u0026 apt-get install --no-install-recommends -y curl wget \\\n    \u0026\u0026 rm -rf /var/lib/apt/lists/* \\\n    \u0026\u0026 apt-get clean\n```\n\n# License\n\nThis project is licensed under the GPL-2.0 License - see the [LICENSE](/LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSongStitch%2Fanchor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSongStitch%2Fanchor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSongStitch%2Fanchor/lists"}