sbomnix
os
sbomnix | os | |
---|---|---|
1 | 6 | |
97 | 703 | |
- | 8.4% | |
8.8 | 10.0 | |
about 1 month ago | about 17 hours ago | |
Python | C | |
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sbomnix
-
Wolfi: A community Linux OS designed for the container and cloud-native era
I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
1: https://github.com/tiiuae/sbomnix
os
- Chainguard Images now available on Docker Hub
-
Fat OCI images are a cultural problem
This is what the folks at Chainguard are solving with their Wolfi OS: https://github.com/wolfi-dev/os and tools like melange: https://github.com/chainguard-dev/melange
-
Wolfi: A community Linux OS designed for the container and cloud-native era
> OK: 9494 distinct packages available
I opened that apkindex file and it had duplicate entries for a ton of packages with different versions, taking a look at https://github.com/wolfi-dev/os I only see about 840 yaml files which I assume define the packages. I don't think claiming to have 10k packages when only 10% of them are actually different pieces of software is a good claim to make. Nixpkgs would have millions of packages if we added up every single unique package from every revision.
-
Fearless Distroless
Also check out the Chainguard Images, built on Wolfi: https://github.com/wolfi-dev/os
- Wolfi
-
Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
Source Link
What are some alternatives?
cyclonedx-core-java - CycloneDX SBOM Model and Utils for Creating and Validating BOMs
Flatcar - Flatcar project repository for issue tracking, project documentation, etc.
attention-attention - Attention! Attention!
wolfi-act - Dynamic GitHub Actions from Wolfi packages
images - Public Chainguard Images
vulnerabilities - :rocket: A vulnerabilities database for fully-automated audits