Quenchworks
← Images

grafana

Image · Observability · standard · v13.0.2

0 fixable CVEs cosign signed SPDX SBOM SLSA provenance amd64 · arm64 Rebuilt 2026-06-14

Dashboards and visualization for metrics and logs. OSS edition (AGPL).

Current digest (deployed by the chart)

sha256:378c7a7beeffa74c627a146124b6cf4377c273da31b28272702df50f4f088288

Signatures, the SBOM, and provenance all attach to this digest. Pin to it for reproducible, tamper-evident pulls.

Signed
cosign keyless
SBOM
SPDX, on digest
Provenance
SLSA build
Architectures
amd64, arm64
Runs as
nonroot (uid 1001)
Root filesystem
read-only
Image size
344.0 MB
SBOM packages
575

Security report (Trivy, via ArtifactHub)

0 fixable CVEs
0
Critical
0
High
0
Medium
0
Low
0
Unknown

Pull the image

Run it directly with Docker, Podman, or any Kubernetes workload. Nonroot, read-only root filesystem, built for amd64 and arm64.

Pull (tag)

docker pull ghcr.io/quenchworks/images/grafana:13.0.2

Pinned by digest (recommended)

docker pull ghcr.io/quenchworks/images/grafana@sha256:378c7a7beeffa74c627a146124b6cf4377c273da31b28272702df50f4f088288

Tags

13.0.213.0.2-amd6413.0.2-arm64

Images are tagged by app version (never :latest): a multi-arch index plus per-arch tags.

App version
13.0.2
Architectures
amd64, arm64
Runs as
nonroot (uid 1001)
Root filesystem
read-only
License
AGPL-3.0

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three yourself: 

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/grafana \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/grafana@sha256:378c7a7beeffa74c627a146124b6cf4377c273da31b28272702df50f4f088288 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/grafana@sha256:378c7a7beeffa74c627a146124b6cf4377c273da31b28272702df50f4f088288 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Transparency

Every attestation is published on the org's GitHub attestations listing and logged to the Sigstore transparency log (Rekor), which cosign verify and gh attestation verify check for you.

View the Helm chart Image source

Upstream project: https://github.com/grafana/grafana