Neo4j
Image · Graph · low · v2026.05.0
Graph database for connected data. Community edition is GPLv3.
Current digest (deployed by the chart)
sha256:69ac1493b290539d8cba68bf0c05249f93a12db09606c10ee3b821fc3af3c0c8Signatures, the SBOM, and provenance all attach to this digest. Pin to it for reproducible, tamper-evident pulls.
Security report (Trivy, via ArtifactHub)
0 fixable CVEsPull the image
Run it directly with Docker, Podman, or any Kubernetes workload. Nonroot, read-only root filesystem, built for amd64 and arm64.
Pull (tag)
docker pull ghcr.io/quenchworks/images/neo4j:2026.05.0Pinned by digest (recommended)
docker pull ghcr.io/quenchworks/images/neo4j@sha256:69ac1493b290539d8cba68bf0c05249f93a12db09606c10ee3b821fc3af3c0c8Tags
Images are tagged by app version (never :latest): a multi-arch index plus per-arch tags.
- App version
- 2026.05.0
- Architectures
- amd64, arm64
- Runs as
- nonroot (uid 1001)
- Root filesystem
- read-only
- License
- GPL-3.0
Verify the supply chain
This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three yourself:
# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/neo4j:2026.05.0 \
--certificate-identity-regexp 'https://github.com/quenchworks/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/neo4j:2026.05.0 --owner quenchworks
# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/neo4j:2026.05.0 --owner quenchworks \
--predicate-type https://spdx.dev/DocumentSee the SBOM & provenance guide for reading the SBOM and using these checks in CI.
Transparency
Every attestation is published on the org's GitHub attestations listing and logged to the Sigstore transparency log (Rekor), which cosign verify and gh attestation verify check for you.
Upstream project: https://github.com/neo4j/neo4j