Security

Trust you can verify

QuenchWorks is built so you never have to take our word for it. Everything below is reproducible and checkable from your own terminal.

Zero fixable CVEs, enforced

Every image goes through a Trivy gate that fails the build on any fixable vulnerability. We rebuild on a schedule, because a clean scan only describes the day it ran. The result is a moving target kept clean, not a one-time audit.

Built from source on Wolfi

We compile each application from source with melange, then apko assembles a small nonroot image. There are no Dockerfiles and nothing inherited from another distro, so the attack surface is only what the app needs.

Signed, keyless

Each image and each chart is signed with cosign using GitHub OIDC (Sigstore). There is no long-lived key to leak. The signature ties the artifact back to the workflow that built it, and anyone can check it.

Pinned by digest

Charts reference images by sha256 digest, never a moving tag. What you install is exactly the artifact that passed the gate and was signed, with no room for a tag to drift underneath you.

Verify it yourself

# confirm an image was built and signed by our CI
cosign verify ghcr.io/quenchworks/images/redis \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# the same works for any chart
cosign verify ghcr.io/quenchworks/charts/redis@sha256:<digest>

Reporting a vulnerability

Found something? Please follow the disclosure process in our security policy.

Security policy