nginx

Pull the image

Run it directly with Docker, Podman, or any Kubernetes workload. Nonroot, read-only root filesystem, built for amd64 and arm64.

Pull (tag)

docker pull ghcr.io/quenchworks/images/nginx:1.30.2

Pinned by digest (recommended)

docker pull ghcr.io/quenchworks/images/nginx@sha256:562df2234ba075ab06c0063d3ae9ffd5d2b3b51871090a94a6b65fa4999a7fe4

Tags

Images are tagged by app version (never :latest): a multi-arch index plus per-arch tags.

App version

1.30.2

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Root filesystem

read-only

License

BSD-2-Clause

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three yourself:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/nginx \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/nginx@sha256:562df2234ba075ab06c0063d3ae9ffd5d2b3b51871090a94a6b65fa4999a7fe4 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/nginx@sha256:562df2234ba075ab06c0063d3ae9ffd5d2b3b51871090a94a6b65fa4999a7fe4 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Transparency

Every attestation is published on the org's GitHub attestations listing and logged to the Sigstore transparency log (Rekor), which cosign verify and gh attestation verify check for you.