{"id":38843775,"url":"https://github.com/project-stacker/c3","last_synced_at":"2026-01-17T14:02:25.871Z","repository":{"id":59404443,"uuid":"530308144","full_name":"project-stacker/c3","owner":"project-stacker","description":"OCI-native Container Images to build your own","archived":false,"fork":false,"pushed_at":"2025-12-12T12:13:47.000Z","size":477,"stargazers_count":11,"open_issues_count":15,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-14T02:25:19.859Z","etag":null,"topics":["container","kubernetes","oci","oci-image","zot"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/project-stacker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-29T16:45:32.000Z","updated_at":"2025-12-12T12:13:51.000Z","dependencies_parsed_at":"2023-10-04T08:00:04.518Z","dependency_job_id":"c9b74ad9-4ad0-479b-bd00-80b2a902cc98","html_url":"https://github.com/project-stacker/c3","commit_stats":null,"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"purl":"pkg:github/project-stacker/c3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-stacker%2Fc3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-stacker%2Fc3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-stacker%2Fc3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-stacker%2Fc3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/project-stacker","download_url":"https://codeload.github.com/project-stacker/c3/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-stacker%2Fc3/sbom","scorecard":{"id":692135,"data":{"date":"2024-03-18","repo":{"name":"github.com/project-stacker/c3","commit":"c4bd69b72edf42c63483b449502b609a1926675a"},"scorecard":{"version":"v4.8.0","commit":"c40859202d739b31fd060ac5b30d17326cd74275"},"score":6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"0 out of last 30 changesets reviewed before merge -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"1 different organizations found -- score normalized to 3","details":["Info: contributors work for cisco systems"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: Dependabot detected: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: : LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 0 issue activity out of 10 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"no published package detected","details":["Warn: no GitHub publishing workflow detected"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:204: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:263: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cloc.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/cloc.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cloc.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/cloc.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/commit-msg.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/commit-msg.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/commit-msg.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/commit-msg.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/commit-msg.yaml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/commit-msg.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dco.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/dco.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dco.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/dco.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/packages.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/packages.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/packages.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/packages.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/scorecards.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/scorecards.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/shellcheck.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/shellcheck.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/shellcheck.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/shellcheck.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/stale.yaml/main?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:169","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:170","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:171","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:177","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:252","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:253","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yaml:259","Warn: goCommand not pinned by hash: .github/workflows/cloc.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/dco.yml:23","Info: Dockerfile dependencies are pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch","Warn: CodeQL tool not detected"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy detected in current repo: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":["Warn: no GitHub releases found"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"non read-only tokens detected in GitHub workflows","details":["Info: topLevel permissions set to 'read-all': .github/workflows/build.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/build.yaml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/cloc.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/cloc.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/commit-msg.yaml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/commit-msg.yaml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/dco.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/dco.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/packages.yaml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/packages.yaml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/scorecards.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/scorecards.yml/main?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/scorecards.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/shellcheck.yaml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/shellcheck.yaml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yaml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/project-stacker/c3/stale.yaml/main?enable=permissions"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"no vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T02:32:22.718Z","repository_id":59404443,"created_at":"2025-08-22T02:32:22.718Z","updated_at":"2025-08-22T02:32:22.718Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28509847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T13:38:16.342Z","status":"ssl_error","status_checked_at":"2026-01-17T13:37:44.060Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","kubernetes","oci","oci-image","zot"],"created_at":"2026-01-17T14:02:25.810Z","updated_at":"2026-01-17T14:02:25.864Z","avatar_url":"https://github.com/project-stacker.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# c3: \"composing concise containers\" for everyone!\n\nOCI-native distroless containers built using\n[`stacker`](https://github.com/project-stacker/stacker).\n\nThis project is a OCI-native alternative to\n[gcr/distroless](https://github.com/GoogleContainerTools/distroless).\n\nImages from this repo are built, signed using\n[`cosign`](https://github.com/sigstore/cosign) and pushed to [zothub.io](https://zothub.io).\n\n**DISCLAIMER**: These images are experimental. We assume no responsibility for\nthese. Use these images at your own risk.\n\n## Guiding Principles\n\n* This is **NOT** a new distribution!\n\n_Maintained distributions_ are hard because it is a continuous process of\nupdating dependencies and fixing functional and security bugs. Instead, the\napproach we have taken is to use existing distributions (they are good at what\nthey do) and produce images that developers can then use to build their own,\nwhile keeping the entire build process transparent.\n\n* Package only what is needed and nothing more!\n\nThe container images are built based on use cases. It is possible that some of\nthe images may not have your favorite tools or binaries. You are welcome to\nsubmit a PR or build your own private images based on these.\n\n## Prerequisites\n\n* Requires a Linux environment with recent 5.x kernel.\n\n## Build Images Locally\n\n```\n$ make\n```\n\n## List of Images\n\nThe following [images](./images) are built and published. All `*-devel` images have [`busybox`](https://busybox.net/) shell packaged.\n\n```\nIMAGE NAME                        TAG                       DIGEST      SIGNED      SIZE\nc3/debian/base-amd64              bullseye           bb12c3a2    true        7.5MB\nc3/debian/base-amd64              bullseye-squashfs  5244ad07    true        6.5MB\nc3/debian/go-devel-amd64          1.19.2             093793a6    true        197MB\nc3/debian/go-devel-amd64          1.19.2-squashfs    dc9e3859    true        175MB\nc3/debian/openj9-amd64            11                 88f56c3d    true        59MB\nc3/debian/openj9-amd64            11-squashfs        73a60848    true        51MB\nc3/debian/openj9-devel-amd64      11                 77c76e2a    true        220MB\nc3/debian/openj9-devel-amd64      11-squashfs        eed380d8    true        206MB\nc3/debian/static-amd64            bullseye           9fe28bc9    true        724kB\nc3/debian/static-amd64            bullseye-squashfs  44e9d704    true        471kB\nc3/rockylinux/base-amd64          9                  33459f96    true        4.5MB\nc3/rockylinux/base-amd64          9-squashfs         d0da8f36    true        3.8MB\nc3/rockylinux/go-devel-amd64      1.19.2             17d8a0d3    true        181MB\nc3/rockylinux/go-devel-amd64      1.19.2-squashfs    9e2da7a5    true        161MB\nc3/rockylinux/openj9-amd64        11                 5c799cbb    true        56MB\nc3/rockylinux/openj9-amd64        11-squashfs        f8b776fb    true        48MB\nc3/rockylinux/openj9-devel-amd64  11                 97772632    true        217MB\nc3/rockylinux/openj9-devel-amd64  11-squashfs        77a8ffc4    true        203MB\nc3/rockylinux/static-amd64        9                  045fe728    true        1.6MB\nc3/rockylinux/static-amd64        9-squashfs         0053a0a4    true        1.3MB\nc3/ubuntu/base-amd64              jammy              a1075430    true        8.6MB\nc3/ubuntu/base-amd64              jammy-squashfs     45e3b064    true        7.5MB\nc3/ubuntu/go-devel-amd64          1.19.2             1217eff3    true        189MB\nc3/ubuntu/go-devel-amd64          1.19.2-squashfs    f248eba2    true        167MB\nc3/ubuntu/openj9-amd64            11                 15fde901    true        60MB\nc3/ubuntu/openj9-amd64            11-squashfs        fac84fa6    true        52MB\nc3/ubuntu/openj9-devel-amd64      11                 7e8d8d51    true        221MB\nc3/ubuntu/openj9-devel-amd64      11-squashfs        033f1f94    true        207MB\nc3/ubuntu/static-amd64            jammy              2e569eb6    true        880kB\nc3/ubuntu/static-amd64            jammy-squashfs     1293c5fd    true        623kB\n```\n\n## Verify Image Signatures\n\n```\n$ cat \u003c\u003c EOF \u003e cosign.pub\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3zTfLns0khZYaHjq2a3eMOYQMPYb\nGCDqRLgXRNVN6qcKoGhvM2yvNnl8g3MpbuvusJGZF1c6TdedluirqS4Y/w==\n-----END PUBLIC KEY-----\nEOF\n\n$ cosign verify --key cosign.pub zothub.io/c3/debian/go-devel-amd64:1.19.2\n\nVerification for zothub.io/c3/debian/go-devel-amd64:1.19.2 --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - The signatures were verified against the specified public key\n\n[{\"critical\":{\"identity\":{\"docker-reference\":\"zothub.io/c3/debian/go-devel-amd64\"},\"image\":{\"docker-manifest-digest\":\"sha256:e426048cc64ca2c8d4b73cdf4b466e0cbb902e6ae35381c05eea63265c225b1b\"},\"type\":\"cosign container image signature\"},\"optional\":null}]\n```\n\n## Testing `*-devel` Images\n\n### With `podman`\n\n```\n$ podman run -it zothub.io/c3/debian/go-devel-amd64:1.19.2\n/ # go version\ngo version go1.19.2 linux/amd64\n/ #\n```\n\n# Contributing\n\nWe encourage and support an active, healthy community of contributors.\n\n* Details are in the [code of conduct](./CODE_OF_CONDUCT.md)\n* Details to get started on code development are in [contributing](./CONTRIBUTING.md) document.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fproject-stacker%2Fc3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fproject-stacker%2Fc3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fproject-stacker%2Fc3/lists"}