Skip to content

initializ/secure-images

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

150 Commits
.github/workflows
.github/workflows
 
 
images
images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Initializ Secure Images

Initializ Secure Images is a collection of container images designed for security.

All these images are built using apko and melange. These tools provide a reproducible, declarative approach to building OCI images.

Find and use Initializ Secure Images

Our images are available via public.ecr.aws.

For example, to pull the kubectl image with Docker:

docker pull public.ecr.aws/t4s8c0c3/kubectl:latest

Software and Tools

These images contain stand-alone software, databases, web servers, and tools like kubectl and aws-cli.

Because our images are constantly rebuilt with the latest sources and include the absolute minimum of dependencies, they typically have significantly fewer vulnerabilities than equivalent images.

For example:

Signatures

All Initializ Secure Images are signed using Sigstore, and you can check the signature using cosign. For our kubectl image example, you can run the following:

 cosign verify public.ecr.aws/t4s8c0c3/kubectl \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/initializ/secure-images/.github/workflows/release.yml@refs/heads/main \ | jq

Your output will make sure that the cosign claims are validated.

SBOMs

All Initializ Secure Images come with a Software Bill Of Materials (SBOM) generated at build-time. The SBOM can be downloaded using the cosign tool e.g.:

 cosign download attestation \ --predicate-type https://spdx.dev/Document \ public.ecr.aws/t4s8c0c3/kubectl | jq -r .payload | base64 -d | jq

You will see the following result:

{ { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://spdx.dev/Document", "subject": [ { "name": "public.ecr.aws/t4s8c0c3/kubectl", "digest": { "sha256": "6f932665bebaa373c5eb3bb150222137e6037142f238f06f464237ef26211778" } } ], "predicate": { "SPDXID": "SPDXRef-DOCUMENT", "creationInfo": { "created": "2023-10-18T18:17:54Z", "creators": [ "Tool: apko (c419221)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentDescribes": [ "SPDXRef-Package-sha256-9bf86620a4ea8a1ec0a6cc3501ef415daf6bbf4d7e7257a0749cddd9cd20a187" ], "documentNamespace": "https://spdx.org/spdxdocs/apko/", "files": [ ...

TESTING

About

Initializ Secure Images is a collection of container images designed for security.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •