Hardened, minimal container images — built from source, multi-arch, signed, and SBOM-attested.
Every image in this repository is:
- Built from source — no pre-built binaries from third parties
- Multi-arch — native
amd64andarm64builds scratch-based — no shell, no package manager, minimal attack surface- Signed — Sigstore cosign (keyless) with full provenance
- SBOM-attested — SPDX and CycloneDX attached as OCI attestations
| Image | What it does | Upstream | Final size |
|---|---|---|---|
| fio | I/O benchmarking tool (static binary) | axboe/fio | ~0.5 MB |
docker pull ghcr.io/evariops/fio:<tag>There is no latest tag. All exact tags are immutable.
ghcr.io/evariops/fio:v3.41.0 ← exact version, never changes
ghcr.io/evariops/fio:v3.41 ← floating, follows the latest patch
The version scheme is v<upstream>.<patch> where the patch number tracks our rebuilds (Dockerfile changes, dependency bumps) of the same upstream release.
Git tags follow the convention
fio/v3.41.0, etc.
All images are signed with Sigstore cosign (keyless — no keys to manage).
cosign verify \
--certificate-identity-regexp="https://github.com/Evariops/containers/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/evariops/fio:<tag>Both SPDX and CycloneDX SBOMs are attached to each image.
# View SPDX SBOM
cosign verify-attestation --type spdxjson \
--certificate-identity-regexp="https://github.com/Evariops/containers/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/evariops/fio:<tag> 2>/dev/null | jq -r '.payload' | base64 -d | jq .Replace spdxjson with cyclonedx for the CycloneDX format.