jfxs/alpine-task

By jfxs

Updated 21 days ago

A lightweight Task Docker image based on Alpine Linux

Image
Developer Tools
0

10K+

Docker alpine task

Software LicensePipeline Status

A Task Docker image:

  • lightweight image based on Alpine Linux only 11 MB,
  • multiarch with support of amd64 and arm64,
  • non-root container user,
  • automatically updated by comparing SBOM changes,
  • image signed with Cosign,
  • an SBOM attestation added using Syft,
  • available on Docker Hub and Quay.io.

GitLab The main repository.

Docker Hub The Docker Hub registry.

Quay.io The Quay.io registry.

Running task

docker run -t --rm jfxs/alpine-task task --version

or

docker run -t --rm quay.io/ifxs/alpine-task task --version

Built with

Docker latest tag is 3.41.0-005, 3.41, 3 and contains:

NameVersionType
ca-certificates20241121-r1apk
curl8.12.1-r0apk
file5.46-r2apk
git2.47.2-r0apk
github.com/go-task/task/v3v3.41.0go-module
jq1.7.1-r0apk

Details are updated on Dockerhub Overview page when an image is published.

Versioning

The Docker tag is defined by the Task version used and an increment to differentiate build with the same Task version:

<task_version>-<increment>

Example: 3.19.1-003

Signature and attestation

Cosign public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEa3yV6+yd/l4zh/tfT6Tx+zn0dhy3
BhFqSad1norLeKSCN2MILv4fZ9GA6ODOlJOw+7vzUvzZVr9IXnxEdjoWJw==
-----END PUBLIC KEY-----

The public key is also available online: https://gitlab.com/op_so/docker/cosign-public-key/-/raw/main/cosign.pub.

To verify an image:

cosign verify --key cosign.pub $IMAGE_URI

To verify and get the SBOM attestation:

cosign verify-attestation --key cosign.pub --type spdxjson $IMAGE_URI | jq '.payload | @base64d | fromjson | .predicate'

Authors

License

This program is free software: you can redistribute it and/or modify it under the terms of the MIT License (MIT). See the LICENSE for details.

Docker Pull Command

docker pull jfxs/alpine-task