APK

APK package format analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
apk-db-cataloger `lib/apk/db/installed`		Transitive	Complete	Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
Alpine SecDB
National Vulnerability Database (NVD)
Chainguard Security
MINIMOS Security
Wolfi Security

The APK vulnerability matcher searches all data sources for upstream packages, including NVD.

Operating systems

Operating System	Supported Versions	Provider	Data Source
Alpine Linux	`3.2+`, `edge`	`alpine`	Alpine SecDB
Chainguard OS	`rolling`	`chainguard`	Chainguard Security
MinimOS	`rolling`	`minimos`	MINIMOS Security
Wolfi	`rolling`	`wolfi`	Wolfi Security

The APK vulnerability database (a.k.a. “SecDB”) includes data from the Alpine Security Tracker, which provides fix information for known vulnerabilities that affect Alpine Linux packages. This database only includes vulnerabilities that have fixes available and does not track unfixed vulnerabilities. The maintainers of the SecDB intend for the primary source of truth for disclosures to be the National Vulnerability Database (NVD).

This is true of other APK vulnerability data sources as well (such as Chainguard, Wolfi, and MinimOS).

Next steps

Last modified November 26, 2025: allow local too invocation (d20d613)