Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

experiment: Add Wolfi based images #1735

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

experiment: Add Wolfi based images #1735

wants to merge 1 commit into from
+196 −2

Commits on Nov 24, 2023

  1. experiment: Add Wolfi based images 

    Adds some initial images (ko, ko-gcloud) based on Wolfi packages using
apko. (tl;dr apko = ko for apks).

These images are smaller and are kept up to date with upstream with a
focus on minimal CVEs.

(computed using `crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec`)

Image | Size
----- | ----
gcr.io/tekton-releases/dogfooding/ko:latest | 277M
us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi | 31M
gcr.io/tekton-releases/dogfooding/ko-gcloud:latest | 606M
us-docker.pkg.dev/wlynch-chainguard/public/ko-gcloud@latest-wolfi | 304M

CVE Scans:

```
$ grype gcr.io/tekton-releases/dogfooding/ko:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f
 ✔ Cataloged packages              [231 packages]
 ✔ Scanned for vulnerabilities     [23 vulnerability matches]
   ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   12 fixed, 11 not-fixed, 0 ignored (4 dropped)
```

```
$ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329
 ✔ Cataloged packages              [191 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored (4 dropped)
```

These aren't wired up to CI yet.
    @wlynch
    wlynch committed Nov 24, 2023
    Configuration menu
    Copy the full SHA
    d65d885 View commit details
    Browse the repository at this point in the history