osv-scanner
melange
osv-scanner | melange | |
---|---|---|
10 | 10 | |
5,874 | 358 | |
1.5% | 4.5% | |
9.6 | 9.8 | |
about 9 hours ago | 5 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
osv-scanner
- An Intro to SBOMs
- SBOM and dependencies check tool and vulnerabilities database from Google
- OSV-Scanner: A vulnerability scanner written in Go which uses the data provided by OSV.dev
-
Vulnerability scanner written in Go that uses osv.dev data
- Building a high quality C/C++ vulnerability database.
You can follow the two linked issues here: https://github.com/google/osv-scanner/issues/82 for updates!
- OSV-Scanner
- google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
-
Google Launches Largest Distributed Database of Open Source Vulnerabilities
Link to the official GitHub repo: https://github.com/google/osv-scanner
melange
- Chainguard Images now available on Docker Hub
- Melange: Build APKs from Source Code
-
Using GitLab Kubernetes Runners to Build Melange Packages
Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.
-
Distroless images using melange and apko
melange allows us to build .apk packages (compatible with apk, the package manager used by Alpine Linux distro) using declarative YAML pipelines.
-
Building a Go Package with Melange and a Docker Image with Apko
Melange
-
Distroless container images with Apko from Chainguard
Apko's synergy with Melange allows custom package creation for container images. Together, they offer a powerful solution for building containers directly from source code.
-
There are two levels of isolation when building Linux packages
In Wolfi's packaging system (melange) we setup a hermetic build environment. See here:
http://github.com/wolfi-dev/os
https://github.com/chainguard-dev/melange
We use this to build APK packages from source for a large set of software.
-
aws-cli v2: how much smaller can it get? Answer: a lot smaller :)
I'm going to use melange for packaging. I write melange package's manifest in YAML and melange spits out APK file for me.
-
Vulnerability scanner written in Go that uses osv.dev data
Depends exactly what you're trying to create it for. I advocate for doing it during the build process rather than as a step after.
We open sourced a few tools that do it automatically for containers:
https://github.com/chainguard-dev/apko
https://github.com/chainguard-dev/melange
-
Apko: A Better Way To Build Containers?
Melange is a builder for Alpine packages. It uses pipelines similar to common CI/CD services, and it builds for multiple architectures by default. Here is a simplified example of a package build for the forum software NodeBB:
What are some alternatives?
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
apko - Build OCI images from APK packages directly without Dockerfile
betterscan-ce - Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)
maloss - Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
osv.dev - Open source vulnerability DB and triage service.
aws-c-auth - C99 library implementation of AWS client-side authentication: standard credentials providers and signing.
nodeBB - Node.js based forum software built for the modern web
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
ko - Build and deploy Go applications