Quenchworks

FAQ

Questions, answered

The things people ask most about a free, hardened catalog: what it costs, how it compares, and how you can check everything for yourself.

Is it really free?
Yes. The images and charts are MIT licensed and published to GitHub Container Registry under ghcr.io/quenchworks. There is no account to create, no repo to add, and no paid tier. You pull what you need and run it.
How is this different from Bitnami?
Bitnami moved its supported, regularly updated catalog into the paid Tanzu Application Catalog, and its free public images now live in a legacy registry that no longer gets the same updates. QuenchWorks is an independent rebuild from source: hardened, scanned to zero fixable CVEs, signed, and pinned by digest, kept current and free. It is not affiliated with Bitnami and does not reuse their charts.
How is this different from Chainguard?
Chainguard offers hardened images, but the maintained, current versions sit behind a paid subscription. QuenchWorks publishes its hardened, current images and charts for free. The two are not affiliated.
How do I trust and verify what I pull?
Every image is built from source on Wolfi, cosign-signed keyless through Sigstore, and pinned by digest. Each one also carries an SPDX software bill of materials and a SLSA build-provenance attestation on the same digest, which you can verify yourself with the GitHub CLI. The signature proves who built it, the provenance proves how, and the SBOM tells you what is inside. See the SBOM and provenance docs and the security page for the exact commands.
What about licensing?
The QuenchWorks packaging is MIT. The software inside each image keeps its own upstream license, which is shown on every catalog page. Where an app is source-available rather than OSI-clean, the catalog flags it and points to a clean alternative. The licensing doc explains what counts as clean, what counts as source-available, and the alternatives recommended.
Is there support?
Support is community and best-effort through the GitHub repositories: open an issue for a bug, a CVE, or a request for a new app. There is no paid support contract. The catalog itself is maintained actively, and the changelog records what ships.
How often is everything rebuilt?
Daily. The pipeline rebuilds from source and rescans on a daily cadence, so when an upstream package fixes a CVE the hardened image picks it up without you waiting on a release cycle. The digest changes when the contents change, and the chart pins the new digest.

Browse by category

Jump straight into a slice of the catalog. Each category is its own crawlable, paginated set.

Analytical Cache Coordination Datastore Document Gateway Graph Messaging Object storage Observability Relational Search Time series Wide-column

Images by category →

Still unsure? The SBOM & provenance and security pages show how to verify a pull, and the licensing doc covers what is clean and what is source-available.