maloss
melange
maloss | melange | |
---|---|---|
3 | 10 | |
106 | 358 | |
- | 4.5% | |
0.0 | 9.8 | |
over 1 year ago | about 23 hours ago | |
Java | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
maloss
- Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
-
Vulnerability scanner written in Go that uses osv.dev data
We've an open-source project that does this: https://github.com/osssanitizer/maloss I'm working on creating a CLI/web interface for this. Happy to chat (email in profile).
- PyPI: Python packets steal AWS keys from users
melange
- Chainguard Images now available on Docker Hub
- Melange: Build APKs from Source Code
-
Using GitLab Kubernetes Runners to Build Melange Packages
Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.
-
Distroless images using melange and apko
melange allows us to build .apk packages (compatible with apk, the package manager used by Alpine Linux distro) using declarative YAML pipelines.
-
Building a Go Package with Melange and a Docker Image with Apko
Melange
-
Distroless container images with Apko from Chainguard
Apko's synergy with Melange allows custom package creation for container images. Together, they offer a powerful solution for building containers directly from source code.
-
There are two levels of isolation when building Linux packages
In Wolfi's packaging system (melange) we setup a hermetic build environment. See here:
http://github.com/wolfi-dev/os
https://github.com/chainguard-dev/melange
We use this to build APK packages from source for a large set of software.
-
aws-cli v2: how much smaller can it get? Answer: a lot smaller :)
I'm going to use melange for packaging. I write melange package's manifest in YAML and melange spits out APK file for me.
-
Vulnerability scanner written in Go that uses osv.dev data
Depends exactly what you're trying to create it for. I advocate for doing it during the build process rather than as a step after.
We open sourced a few tools that do it automatically for containers:
https://github.com/chainguard-dev/apko
https://github.com/chainguard-dev/melange
-
Apko: A Better Way To Build Containers?
Melange is a builder for Alpine packages. It uses pipelines similar to common CI/CD services, and it builds for multiple architectures by default. Here is a simplified example of a package build for the forum software NodeBB:
What are some alternatives?
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
apko - Build OCI images from APK packages directly without Dockerfile
osv-scanner - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
pypi_malware - PyPI malware packages
aws-c-auth - C99 library implementation of AWS client-side authentication: standard credentials providers and signing.
software-supply-chain-compromises - A dataset of software supply chain compromises. Please help us maintain it!
nodeBB - Node.js based forum software built for the modern web
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
ko - Build and deploy Go applications