{"id":13490658,"url":"https://github.com/chainguard-dev/apko","last_synced_at":"2026-04-13T02:30:47.412Z","repository":{"id":37498412,"uuid":"457026559","full_name":"chainguard-dev/apko","owner":"chainguard-dev","description":"Build OCI images from APK packages directly without Dockerfile","archived":false,"fork":false,"pushed_at":"2026-02-23T00:37:00.000Z","size":8111,"stargazers_count":1552,"open_issues_count":131,"forks_count":204,"subscribers_count":14,"default_branch":"main","last_synced_at":"2026-02-23T06:51:22.279Z","etag":null,"topics":["containers","docker","oci"],"latest_commit_sha":null,"homepage":"https://apko.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-02-08T17:04:37.000Z","updated_at":"2026-02-23T03:18:16.000Z","dependencies_parsed_at":"2023-10-12T07:19:37.375Z","dependency_job_id":"ba804cc4-2472-4def-ab5a-4d76efca4d91","html_url":"https://github.com/chainguard-dev/apko","commit_stats":{"total_commits":1575,"total_committers":57,"mean_commits":27.63157894736842,"dds":0.7631746031746032,"last_synced_commit":"b8aa7617a577f62387b943f6ec750bb773c44d04"},"previous_names":[],"tags_count":155,"template":false,"template_full_name":null,"purl":"pkg:github/chainguard-dev/apko","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fapko","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fapko/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fapko/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fapko/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/apko/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fapko/sbom","scorecard":{"id":112940,"data":{"date":"2025-08-11","repo":{"name":"github.com/chainguard-dev/apko","commit":"09171fd0287b8b3831b2d2e3df4e9e982e41e0dc"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":8.1,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  26 out of  26 GitHub-owned GitHubAction dependencies pinned","Info:  24 out of  24 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-samples.yml:19","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-samples.yml:62","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-samples.yml:101","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-samples.yml:143","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-samples.yml:185","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yaml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:19","Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yml:33","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:36","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:37","Info: jobLevel 'contents' permission set to 'read': .github/workflows/go-tests.yaml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/verify.yaml:17","Info: found token with 'none' permissions: .github/workflows/build-samples.yml:1","Info: found token with 'none' permissions: .github/workflows/build.yaml:1","Info: found token with 'none' permissions: .github/workflows/codeql.yaml:1","Info: found token with 'none' permissions: .github/workflows/codeql.yml:1","Info: found token with 'none' permissions: .github/workflows/go-tests.yaml:1","Info: found token with 'none' permissions: .github/workflows/release.yaml:1","Info: found token with 'none' permissions: .github/workflows/verify.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/chainguard-dev/.github/SECURITY.md:1","Info: Found linked content: github.com/chainguard-dev/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/chainguard-dev/.github/SECURITY.md:1","Info: Found text in security policy: github.com/chainguard-dev/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is required - but no codeowners file found in repo","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":8,"reason":"4 out of the last 4 releases have a total of 4 signed artifacts.","details":["Info: signed release artifact: apko_0.30.4_darwin_amd64.tar.gz.sig: https://github.com/chainguard-dev/apko/releases/tag/v0.30.4","Info: signed release artifact: apko_0.30.3_darwin_amd64.tar.gz.sig: https://github.com/chainguard-dev/apko/releases/tag/v0.30.3","Info: signed release artifact: apko_0.30.2_darwin_amd64.tar.gz.sig: https://github.com/chainguard-dev/apko/releases/tag/v0.30.2","Info: signed release artifact: apko_0.30.1_darwin_amd64.tar.gz.sig: https://github.com/chainguard-dev/apko/releases/tag/v0.30.1","Warn: release artifact v0.30.4 does not have provenance: https://api.github.com/repos/chainguard-dev/apko/releases/239130610","Warn: release artifact v0.30.3 does not have provenance: https://api.github.com/repos/chainguard-dev/apko/releases/238880754","Warn: release artifact v0.30.2 does not have provenance: https://api.github.com/repos/chainguard-dev/apko/releases/236359019","Warn: release artifact v0.30.1 does not have provenance: https://api.github.com/repos/chainguard-dev/apko/releases/236098329"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yaml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":0,"reason":"13 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3829","Warn: Project is vulnerable to: CGA-24wg-f7c9-6234","Warn: Project is vulnerable to: CGA-2j47-7j2p-5mv6","Warn: Project is vulnerable to: CGA-3v5w-c457-74wm","Warn: Project is vulnerable to: CGA-49wj-7q5w-w7gw","Warn: Project is vulnerable to: CGA-56pr-p233-5w73","Warn: Project is vulnerable to: CGA-62gw-73jx-mx4w","Warn: Project is vulnerable to: CGA-62wq-2f62-55vm","Warn: Project is vulnerable to: CGA-665j-29x9-vgrf","Warn: Project is vulnerable to: CGA-937h-9qvw-8r89","Warn: Project is vulnerable to: CGA-hpqc-9w2r-rfj6","Warn: Project is vulnerable to: CGA-rppc-58w9-wv7w","Warn: Project is vulnerable to: CGA-wq37-vqpf-p8j4"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-15T15:35:58.852Z","repository_id":37498412,"created_at":"2025-08-15T15:35:58.852Z","updated_at":"2025-08-15T15:35:58.852Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29991077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T01:47:34.672Z","status":"online","status_checked_at":"2026-03-02T02:00:07.342Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","oci"],"created_at":"2024-07-31T19:00:49.868Z","updated_at":"2026-03-02T02:13:42.620Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","readme":"# apko: apk-based OCI image builder\n\nBuild and publish [OCI container images](https://opencontainers.org/) built from [apk](https://wiki.alpinelinux.org/wiki/Package_management) packages.\n\napko has the following key features:\n\n- **Fully reproducible by default.** Run apko twice and you will get exactly the same binary.\n- **Fast.** apko aims to build images in ms.\n- **Small.** apko generated images only contain what's needed by the application,\n  in the style of [distroless](https://github.com/GoogleContainerTools/distroless).\n- **SBOM Support.** apko produces a Software Bill of Materials (SBOM) for images, detailing all the packages inside.\n- **Services.** apko supports using the [s6 supervision suite](https://skarnet.org/software/s6) to run multiple processes\n  in a container without reaping or signalling issues.\n\nPlease note that apko is a work in progress and details are subject to change!\n\n## Installation\n\nYou can install apko from Homebrew:\n\n```shell\nbrew install apko\n```\n\nYou can also install apko from source:\n\n```shell\ngo install chainguard.dev/apko@latest\n```\n\nYou can also use the apko container image:\n\n```shell\ndocker run cgr.dev/chainguard/apko version\n```\n\nTo use the examples, you'll generally want to mount your current directory into the container, e.g.:\n\n```shell\ndocker run -v \"$PWD\":/work cgr.dev/chainguard/apko build examples/alpine-base.yaml apko-alpine:edge apko-alpine.tar\n```\n\n## Quickstart\n\nAn apko file for building an Alpine base image looks like this:\n\n```yaml\ncontents:\n  repositories:\n    - https://dl-cdn.alpinelinux.org/alpine/v3.22/main\n  packages:\n    - alpine-base\n\nentrypoint:\n  command: /bin/sh -l\n\n# optional environment configuration\nenvironment:\n  PATH: /usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin\n```\n\nWe can build this with apko from any environment with apk tooling:\n\n```shell\napko build examples/alpine-base.yaml apko-alpine:test apko-alpine.tar\n```\n\n```\n...\n2022/04/08 13:22:31 apko (aarch64): generating SBOM\n2022/04/08 13:22:31 building OCI image from layer '/tmp/apko-3027985148.tar.gz'\n2022/04/08 13:22:31 OCI layer digest: sha256:ba034c07d0945abf6caa46fe05268d2375e4209e169ff7fdd34d40cf4e5f2dd6\n2022/04/08 13:22:31 OCI layer diffID: sha256:9b4ab6bb8831352b25c4bd21ee8259d1f3b2776deec573733291d71a390157bb\n2022/04/08 13:22:31 output OCI image file to apko-alpine.tar\n```\n\nor, with Docker:\n\n```shell\ndocker run -v \"$PWD\":/work cgr.dev/chainguard/apko build examples/alpine-base.yaml apko-alpine:test apko-alpine.tar\n```\n\nYou can then load the generated tar image into a Docker environment:\n\n```shell\ndocker load \u003c apko-alpine.tar\n```\n\n```shell\nLoaded image: apko-alpine:test\n```\n\n```shell\ndocker run -it apko-alpine:test\n```\n\n```\ne289dc84c4ad:/# echo boo!\nboo!\n```\n\nYou can also publish the image directly to a registry:\n\n```shell\napko publish examples/alpine-base.yaml myrepo/alpine-apko:test\n```\n\nSee the [docs](./docs/apko_file.md) for details of the file format and the [examples directory](./examples) for more, err, examples!\n\n## Why\n\napko was created by [Chainguard](https://www.chainguard.dev), who require secure and reproducible\ncontainer images for their tooling. Speed is also a critical factor; Chainguard require images to be\nrebuilt constantly in response to new versions and patches.\n\nThe design of apko is heavily influenced by the [ko](https://github.com/google/ko) and\n[distroless](https://github.com/GoogleContainerTools/distroless) projects.\n\n## Declarative Nature\n\nBy design, apko doesn't support an equivalent of `RUN` statements in Dockerfiles. This means apko\nfiles are fully declarative and allows apko to make stronger statements about the contents of images.\nIn particular, apko images are fully bitwise reproducible and can generate SBOMs covering their\ncomplete contents.\n\nIn order to install bespoke tooling or applications into an image, they must first be packaged into\nan apk. This can be done with apko's sister tool [melange](https://github.com/chainguard-dev/melange).\n\nThe combination of melange and apko cover the vast majority of use cases when building container\nimages. In the cases where they are not a good fit, our recommendation is to build a base image with\napko and melange, then use traditional tooling such as Dockerfiles for the final step.\n\n## Further Reading\n\nTutorials and guides for apko can be found at the [Chainguard Academy](https://edu.chainguard.dev/open-source/apko/).\n\nFor questions, please find us on the [Kubernetes Slack](https://kubernetes.slack.com/) in the #apko channel.\n\n## Related Work and Resources\n\nThe [melange project](https://github.com/chainguard-dev/melange) is designed to produce apk packages to be used in apko.\n\nThe [ko](https://github.com/google/ko) project builds Go projects from source in a similar manner to apko.\n\nThe [kontain.me](https://github.com/imjasonh/kontain.me) service creates fresh container images on\ndemand using different forms of declarative configuration (including ko and apko).\n","funding_links":[],"categories":["Go","docker","Build tools"],"sub_categories":["Observability"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fapko","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fapko","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fapko/lists"}