Docs

Install a QuenchWorks chart and pull an image. Everything ships to GHCR as an OCI artifact.

Move from Bitnami charts and images to QuenchWorks: the registry swap, how the values surface differs, what carries over, and how to migrate stateful data safely.

Verify a QuenchWorks image or chart signature with cosign. Keyless, no key to distribute.

Every QuenchWorks image carries an SPDX SBOM and a SLSA build-provenance attestation, signed keyless and attached to the registry. Verify both with cosign or the GitHub CLI.

Pin QuenchWorks images by sha256 digest so what you run is exactly what was scanned and signed.

Mirror QuenchWorks images and charts into a private or air-gapped registry, repoint the charts, and keep verifying signatures and attestations.

QuenchWorks ships hardened language runtimes, slim runtime bases, and build-tool images you FROM in your own Dockerfile. Build with the SDK, run on a slim base, and keep the two hardening rules in mind: the images are shell-less and run nonroot read-only.

A hardened multi-stage Dockerfile for Node on the QuenchWorks node and pnpm base images: a prod-deps stage, a build stage, and a slim final stage that ships only production dependencies and the built output. pnpm, npm, and Yarn variants.

A hardened multi-stage Dockerfile for Python on the QuenchWorks python, uv, and poetry base images: build a virtualenv with all the build dependencies in one stage, then copy it onto a slim python base that runs nonroot.

The classic two-stage Go build on QuenchWorks: compile a static binary with CGO disabled on the go image, then copy it onto the tiny static base for a final image that is little more than your binary.

A hardened multi-stage Dockerfile for Java on QuenchWorks: build the jar with the maven or gradle image, then run it on the slim jre base as nonroot. Maven and Gradle variants.

A hardened multi-stage Dockerfile for .NET on QuenchWorks: publish with the dotnet SDK image, then run on the slim aspnet base for web apps or dotnet-runtime for console apps, as nonroot.

How QuenchWorks images and charts are versioned: app-version tags, no :latest, multi-arch indexes, chart semver, and sha256 digests.

The shared values surface every QuenchWorks chart exposes through the quench-common library chart: image, persistence, resources, scheduling, security context, probes, and networking.

What is OSI-clean in the QuenchWorks catalog, which datastores are source-available (SSPL / BSL), and the truly-open alternative we recommend for each.

Common issues running QuenchWorks images and charts: the missing :latest tag, nonroot and read-only filesystem behavior, volume permissions, and signature verification.