registries.social / npm-tester
Pull this image
docker pull atcr.io/registries.social/npm-tester:latest
Overview
Chainguard Images
This repository holds the public build configuration for available Chainguard Images — minimal, hardened OCI images published to cgr.dev/chainguard/<image>.
Using an image
Images are published at cgr.dev/chainguard/<name>. For example:
docker pull cgr.dev/chainguard/static:latest
docker pull cgr.dev/chainguard/nginx:latest
Browse the full catalog at images.chainguard.dev. Each image’s usage notes live in its own README under images/<name>/README.md.
How images are built
Every image is produced with apko from a pinned, reproducible configuration stored alongside the image:
images/<name>/
├── locked_config.json # Pinned apko config per architecture (+ tags, repo)
├── README.md # User-facing documentation for the image
├── tests/ # End-to-end tests
└── metadata.yaml # Image metadata
locked_config.json is the source of truth for what goes into the published image. It contains a fully resolved apko configuration — exact package versions, accounts, entrypoint, environment, and annotations — for each supported architecture. Because the package versions are pinned, builds are reproducible: the same locked_config.json produces the same image content.
Publication is driven by the release.yaml workflow. When a locked_config.json changes on main (or on the daily schedule), the workflow shards the affected images and invokes the Terraform module at main.tf, which:
- Reads
images/<name>/locked_config.json. - Builds each variant with the
apkoTerraform provider. - Publishes the resulting OCI images to
cgr.dev/chainguard/<name>along with SBOMs and cosign attestations. - Applies the
tagsdeclared in the lock file.
Building an image locally
You can reproduce a build on your own machine using apko and the locked_config.json checked into this repo. See BUILDING.md for a step-by-step example.
Repository layout
| Path | Purpose |
|---|---|
images/<name>/ |
Per-image build config, tests, and README |
policies/ |
Policy definitions applied to published images |
tflib/ |
Shared Terraform modules used by the release driver |
.github/workflows/release.yaml |
Workflow that runs the release |
More
- Image guidelines — the design standards every image follows.
- Withdrawing images — how tags and repos are retired.
- Security policy — reporting vulnerabilities.
- Chainguard Images docs — background and concepts.
- Chainguard Console — log in to view the full commercial catalog.
Tags
sha256:5084d4ec4282cd2b78ed60c5c1ea7b42fce34ed05162cebef7a5c50b10817e3b
docker pull atcr.io/registries.social/npm-tester:latest
Manifests
sha256:5084d4ec4282cd2b78ed60c5c1ea7b42fce34ed05162cebef7a5c50b10817e3b
sha256:cdde61b17716abf2eca5ae67488fbfab63cf41068e9d54f9a69e5eb5640f95ec
sha256:59520d5816951f1046bad17f299510503a212ae0f0cbed82e42210d7b66c2379