osv-scanner VS melange

- Building a high quality C/C++ vulnerability database.

You can follow the two linked issues here: https://github.com/google/osv-scanner/issues/82 for updates!

Link to the official GitHub repo: https://github.com/google/osv-scanner

Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.

melange allows us to build .apk packages (compatible with apk, the package manager used by Alpine Linux distro) using declarative YAML pipelines.

Melange

Apko's synergy with Melange allows custom package creation for container images. Together, they offer a powerful solution for building containers directly from source code.

In Wolfi's packaging system (melange) we setup a hermetic build environment. See here:

http://github.com/wolfi-dev/os

https://github.com/chainguard-dev/melange

We use this to build APK packages from source for a large set of software.

I'm going to use melange for packaging. I write melange package's manifest in YAML and melange spits out APK file for me.

Depends exactly what you're trying to create it for. I advocate for doing it during the build process rather than as a step after.

We open sourced a few tools that do it automatically for containers:

https://github.com/chainguard-dev/apko

https://github.com/chainguard-dev/melange

Melange is a builder for Alpine packages. It uses pipelines similar to common CI/CD services, and it builds for multiple architectures by default. Here is a simplified example of a package build for the forum software NodeBB: