Fetch the open source code related to Chainguard packages and images, as defined in the SBOMs.
Chainguard images contain two types of APKs:
- Public Wolfi packages (
pkg:apk/wolfi/*) — open source packages built from the Wolfi repository - Enterprise packages (
pkg:apk/chainguard/*) — private packages served fromapk.cgr.dev
chainguard-source downloads source for both. When using --image, the script reads /etc/apk/repositories from the image to determine where each APK is served from, tries each repository in order, and falls back to apk.cgr.dev with authentication for packages not found in any public repo.
Additional dependencies for enterprise images:
crane— reads the APK repository list from the imagechainctl— generates a pull token for authenticating againstapk.cgr.dev
When using --image with a cgr.dev/ORG/image URL, the Chainguard org is auto-detected:
$ chainguard-source -y --image cgr.dev/example.com/redis:latest
$ chainguard-source --yes --image cgr.dev/chainguard/wolfi-base:latest
For --package or --sbom mode, specify the org explicitly with --org:
Fetch sources by package name and version:
$ chainguard-source -y --org example.com --sbom /tmp/image.sbom.spdx.json
$ chainguard-source --yes --package hello-wolfi
$ chainguard-source -y -p hello-wolfi-2.12.1-r6
Fetch sources from local SBOM file:
chainguard-source -y --sbom /tmp/midnight-commander.sbom.spdx.json
Authentication uses `chainctl` — ensure you are logged in before running:
$ chainctl auth login
chainguard-source -y -s /tmp/wordpress.latest.sbom.spdx.json