0-CVE container images and signed Helm charts. Built from source, cosign-signed, pinned by digest. Free and independent.
Website · Charts · Images · Roadmap · Docs · ArtifactHub
A lot of platforms were built on free, hardened images from the Bitnami catalog. Those images moved behind a paywall and into a legacy registry, on a clock. The job they did didn't go away: you still need a database, a cache, a queue, a gateway, that boots, runs nonroot, and doesn't drag a pile of CVEs into your cluster.
Rebuilding all of that yourself is real work, and keeping it at zero CVEs is work that never stops.
92 hardened images and 54 signed Helm charts for the infrastructure you actually run. Every image is built from source on Wolfi with melange and apko. No Dockerfiles, nothing inherited from another distro. Then each one:
- clears a hard 0 fixable CVE gate (Trivy, fail-on-fixable) before it can publish,
- runs nonroot on a read-only root filesystem,
- ships as a multi-arch index (linux/amd64 + linux/arm64),
- carries an SBOM and a cosign keyless signature,
- is rebuilt daily, so a clean scan stays true tomorrow instead of aging out.
Every chart pins its image strictly by sha256 digest (a tag-only reference is refused on purpose), shares one hardened security baseline through the quench-common library chart, is cosign-signed, and ships on ArtifactHub as a verified publisher with a Values schema.
Quench is the metallurgy step that hardens hot metal by cooling it fast. Same idea, fewer CVEs.
# install the chart (the image is already signed and pinned by digest for you)
helm install cache oci://ghcr.io/quenchworks/charts/redis
# verify any image we ship, yourself (images are tagged by version, no :latest)
cosign verify ghcr.io/quenchworks/images/redis:8.8.0 \
--certificate-identity-regexp 'https://github.com/quenchworks/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.comNo account, no token, no paywall. Swap redis:8.8.0 for any app and version in the catalog.
| Relational | PostgreSQL · MariaDB · MySQL · CockroachDB |
| Document | CouchDB · FerretDB · DocumentDB · MongoDB |
| Key-value / cache | Valkey · Redis · Memcached · Dragonfly |
| Wide-column | Cassandra · ScyllaDB |
| Search / vector | OpenSearch · Solr · Meilisearch · Qdrant · Elasticsearch |
| Streaming / messaging | Kafka · NATS · RabbitMQ · Pulsar |
| Coordination | etcd · ZooKeeper · Temporal |
| Observability | Prometheus · Grafana · Loki · Tempo · VictoriaMetrics · OpenTelemetry Collector · Vector · Fluent Bit |
| Gateways / proxies | Nginx · Caddy · Traefik · HAProxy |
| Object storage | Garage · RustFS · SeaweedFS |
| Secrets / identity | OpenBao · Keycloak |
| Registry · Git · CI/IaC | Harbor · Gitea · Atlantis |
Browse all of it, with versions, digests, and provenance, at quench-works.com.
| Repo | What it is |
|---|---|
| images | The image factory: melange + apko builds, the 0-CVE gate, cosign signing, GHCR publish. |
| charts | Clean-room Helm charts, each pinned to a signed image digest and published as an OCI artifact. |
| common | quench-common, the shared library chart: the hardened security baseline and the digest-only image resolver. |
| website | The catalog site, generated straight from the images and charts repos. |
We lead with the truly-open option in every category. Two source-available datastores, MongoDB and Elasticsearch (both SSPL-1.0), are carried with a loud license note because they are not OSI-approved open source, and we name the clean fork that covers the slot: OpenSearch for Elasticsearch, FerretDB plus DocumentDB for MongoDB.
MIT. Built independently. Not affiliated with any upstream distribution or vendor.
quench-works.com · made by @mkabumattar