Safeguard
Open Source Security

apko and melange: declarative container build tools

How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.

Karan Patel
Cloud Security Engineer
8 min read

Every container image starts somewhere, and for most teams that somewhere is a Dockerfile full of apt-get install, cached layers, and whatever base image happened to be popular the day someone wrote it. Chainguard built its business on the argument that this is backwards — that images should be assembled deterministically from signed packages, not scripted imperatively and hoped into reproducibility. The tools behind that argument are apko and melange, two Apache-2.0 licensed projects that compile YAML into OCI images and APK packages, respectively, with no Dockerfile in sight.

Both tools are open source and free for anyone to adopt, which means the interesting question isn't "should I use apko and melange" but "what am I actually signing up for when a vendor's entire security pitch is built on top of them." This post breaks down how the tools work, what problems they solve, where the model has real limits, and how Safeguard helps teams validate the supply chain claims that come with them — whether or not Chainguard is in the picture.

What are apko and melange, and why did Chainguard build them?

apko and melange are Chainguard's open-source pair of build tools for producing minimal, reproducible container images without writing a Dockerfile. Chainguard, founded in September 2021 by former Google and AWS engineers including Dan Lorenc (a co-creator of Sigstore and the SLSA framework), released melange in 2022 and apko shortly before it, open-sourcing both under Apache 2.0 from day one. The motivation was direct: the pair had spent years watching container supply chains break because images were built from mutable, undocumented shell scripts layered on top of general-purpose Linux distributions carrying years of accumulated package cruft. apko and melange are the tooling half of that fix; the other half is Wolfi, the "undistro" Chainguard announced in September 2022, and the commercial Chainguard Images catalog built on top of all three. Today Chainguard offers well over 1,000 hardened images spanning language runtimes, databases, and base operating systems, all produced through this same apko/melange pipeline.

How does apko turn YAML into a container image without a Dockerfile?

apko builds an OCI-compliant container image by assembling APK packages directly into filesystem layers, skipping the imperative build step entirely. Instead of a Dockerfile with FROM, RUN, and COPY instructions, you write a YAML manifest listing the packages you want (say, wolfi-base, python-3.12, and py3.12-pip), the entrypoint, the user to run as, and target architectures. apko resolves that manifest against a package repository, lays the resulting files into layers, and emits a multi-arch OCI image — no shell execution, no cached intermediate layers with leftover build tools, no non-determinism from network calls made mid-build. Because there's no RUN curl | sh step, there's no way for a compromised script to inject something the manifest doesn't declare. apko also generates a software bill of materials as part of the build, typically in SPDX or CycloneDX format, so the resulting image ships with an accurate package manifest instead of one reconstructed after the fact by a scanner guessing at installed files.

How does melange build packages instead of images?

melange is the package-building counterpart to apko: it compiles source code into signed APK packages using declarative YAML pipelines instead of custom build scripts. A melange manifest defines a sequence of pipeline steps — fetch source, apply patches, run make, install into a fake root — executed inside an isolated sandbox (Chainguard uses Bubblewrap or QEMU/VM-based isolation depending on platform) so the build has no ambient access to the host or the network beyond declared fetch steps. This matters because it's the mechanism that makes Wolfi's packages buildable from source by anyone, not just Chainguard: the same manifest that produces Chainguard's internal openssl package is the one published in the wolfi-dev/os GitHub repository, so an outside party can rebuild it and compare hashes. melange also signs the packages it produces and can target reproducible builds by controlling timestamps and build environment variables, which is a prerequisite for the kind of build-hash verification that SLSA Level 3 attestation depends on.

Why do Wolfi and Chainguard Images report near-zero CVE counts?

Wolfi and Chainguard Images report low or zero known CVEs mainly because they ship current package versions with almost nothing extra installed, not because of some novel scanning technique. A typical python:3.12-slim Debian-based image commonly carries several dozen known CVEs at any given time purely from OS-level packages that Python doesn't even need at runtime — things like perl, gzip, or leftover libraries pulled in as transitive dependencies of the base OS. Wolfi has no such baggage: it's built as a from-scratch distro with a rolling-release model, so packages are rebuilt frequently (often within hours of an upstream CVE fix) and images contain only what the manifest explicitly lists. Chainguard's own images frequently ship without a shell, without a package manager, and without glibc utilities beyond the bare minimum, cutting the addressable attack surface dramatically compared to a several-hundred-megabyte general-purpose base image. The "zero CVE" claim on Chainguard's marketing pages is real in the narrow sense that a scanner finds nothing at that moment — but it's a snapshot, not a guarantee, and it resets every time a new CVE is disclosed against something in the image.

What are the tradeoffs of building your supply chain on this model?

The tradeoff is that reproducibility and minimalism shift work and risk onto the rebuild pipeline and the package source of truth, rather than eliminating them. Because Wolfi packages track upstream aggressively, a team pinning to latest can see behavioral changes or ABI shifts land faster than on a slower-moving distro like Debian stable, which trades some security lag for predictability. The APK format and Wolfi's package set are also newer and smaller than Debian's or Red Hat's decades-deep archives, so less common libraries sometimes aren't packaged yet, forcing teams to write their own melange manifests — which reintroduces exactly the kind of custom build logic apko/melange were meant to replace, just in YAML instead of Bash. And because Chainguard controls both the tooling and the primary hosted package repository, an organization standardizing on Chainguard Images is also making a vendor and governance bet, not just a tooling choice — worth stating plainly, since apko and melange being open source doesn't mean the surrounding ecosystem (image catalog, enterprise support, private repositories) is. Chainguard has raised substantial capital on this thesis, including a Series B round in early 2023 valuing the company near $500 million and a later round pushing that valuation past $3 billion, which tells you the commercial layer is a real and growing part of the pitch alongside the open-source core.

How Safeguard Helps

Whether your organization builds on Wolfi, pulls from Chainguard's catalog, or just wants to know what's actually running in a fleet of containers assembled by other teams, the underlying question is the same: can you verify the supply chain claims instead of trusting a marketing page's CVE count. Safeguard is built for exactly that gap.

  • SBOM verification, not just SBOM collection. apko and melange emit SPDX/CycloneDX SBOMs at build time, but a generated SBOM is only as trustworthy as the pipeline that produced it. Safeguard ingests these SBOMs and cross-checks them against actual image contents and live vulnerability feeds, so a "zero CVE" image at build time doesn't quietly drift out of date after deployment.
  • Provenance and signature validation at scale. melange-built packages and apko-built images are typically signed via Sigstore/cosign with in-toto attestations. Safeguard verifies those signatures and attestation chains automatically across your registries, flagging any image that claims Wolfi/Chainguard provenance but can't produce a valid, matching attestation.
  • Mixed-fleet policy enforcement. Most organizations aren't 100% Wolfi or 100% Chainguard Images — they run a mix of Debian, Alpine, Chainguard, and custom bases. Safeguard applies consistent vulnerability and hardening policy across that mix, rather than treating minimal-image adoption as an all-or-nothing security posture.
  • Continuous monitoring beyond the build snapshot. A CVE disclosed an hour after your last build isn't reflected in any manifest. Safeguard continuously rescans deployed images against current CVE data, so security posture is tracked in production, not just at CI time.
  • Vendor-neutral supply chain visibility. If you later migrate off Chainguard's catalog, self-host Wolfi builds, or bring melange manifests in-house, Safeguard's analysis isn't tied to any single vendor's tooling or attestation format, which keeps your security data portable regardless of which build system produced the image.

apko and melange represent a genuinely better default for how container images get built — declarative, minimal, and verifiable in principle. Safeguard's role is making sure "in principle" holds up in your actual environment, continuously, across every image regardless of who built it or which pipeline it came from.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.