Skip to content
apko
Build & Package
A tool that builds reproducible, minimal OCI container images from Alpine apk packages
Go
·
Latest v1.2.15 · 3d ago
Security brief →
Features
-
Fully reproducible image builds by default
-
Extremely fast build times (milliseconds)
-
Generates minimal images containing only required packages (distroless‑style)
-
Produces Software Bill of Materials (SBOM) for each image
-
Supports multi‑process containers using the s6 supervision suite
v1.2.12
Security relevant
·
Security fixes
- Harden against template injection and credential exposure in CI pipelines
Full changelog
Changelog
- b7931baa8cd8aa1718dcea63208eacebb27148d9 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#2219)
- 34a75306b40ee67508c6ce6ee34e447dd1454fec fix(ci): harden against template injection and credential exposure (#2217)
v1.2.9
New feature
·
Notable features
- Verify APK package data hash against .PKGINFO for completeness
Full changelog
Changelog
- 8d34c756b1acdec0d18c82247f900a54255500f5 apk: verify package data hash against .PKGINFO for completeness (#2206)
- 312a1507941c846eadc2ff22d1e2e1f7d82bebe7 build(deps): bump chainguard.dev/sdk from 0.1.52 to 0.1.54 (#2199)
- 5f7949b8716d56dcd3e091e65b1c63c9d0cab776 build(deps): bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 (#2197)
- e7c2fdf0b02a5a23398beb617f6c4682707c0de9 build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 (#2198)
- 0d06d1ce763f6a13ea7ba63db777aea73f10dc6a chore(zizmor): trigger zizmor on updates to dependabot config [PSEC-871] (#2186)
- a7f10d8972fa035714387d9621745397a2f4135c ci: bump golangci-lint to v2.11 and clear new findings (#2205)
- 8ccb1ed4bb1f847d71dc4accb1f85c18550f405f testdata: refresh apko-discover lock for rotated chainguard key (#2203)
v1.2.7
New feature
·
Notable features
- APK package control hash verification against signed APKINDEX
Full changelog
Changelog
- a118c3d604107532b5525bd4bee2fb369a6228aa apk: verify package control hash against signed APKINDEX (#2191)
v1.2.6
Bug fix
·
Stripped special mode bits in file open and write operations.
Full changelog
Changelog
- 09b82d635baa11223ba5b28b421069cadcddb5d9 fs: strip special mode bits in OpenFile/WriteFile (#2188)
v1.2.5
Bug fix
·
Scoped all DirFS operations through os.Root for improved filesystem handling.
Full changelog
Changelog
- f5a96e1299ac81c7ea9441705ec467688086f442 fs: Scope all DirFS operations through os.Root (#2187)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
About
Languages
Go
·
Shell
·
Makefile
Install & Platforms
Install via
brew
go
docker
Alternative to
ko
distroless
Search tools, categories, lists, and users
Use ↑↓ to navigate, Enter to open, Esc to close
No results for ""
⌘K to open
↑↓ navigate
⏎ open
