Built from source
We compile each app from source on Wolfi with melange, then apko assembles a small nonroot image. No Dockerfiles, and nothing inherited from another distro.
34 datastores · image + signed chart · 0 fixable CVEs
Drop-in hardened replacements
for the Bitnami catalog.
34 datastores, each shipped end-to-end as a small nonroot container image and a signed Helm chart. Built from source on Wolfi, scanned to zero fixable CVEs, cosign-signed, digest-pinned, and multi-arch (amd64 + arm64). Free and independent.
install & verify
# add the chart (OCI) and install
helm install my-redis oci://ghcr.io/quenchworks/charts/redis
# verify the image was built & signed by CI before you trust it
cosign verify ghcr.io/quenchworks/images/redis \
--certificate-oidc-issuer https://token.actions.githubusercontent.comHow it works
Hardened from source to install.
0 fixable CVEs, daily
A Trivy gate fails the build on any fixable CVE. We rebuild every day, because a clean scan only tells you about the day it ran.
Signed and attested
Every image gets a cosign keyless signature, build provenance, and an SPDX SBOM. Anyone can verify it.
Pinned by digest
Charts point at images by sha256 digest, never a moving tag. What you install is exactly what passed the gate.
Free, independent, and yours to verify.
No paywall and no lock-in. Pull an image, check the signature yourself, then install the chart. You never have to take our word for it.