Alauda DevOps Pipelines Docs
  • English

    • Built-in Tool Images Selection Guide

    This page helps you quickly choose the right tool image for your pipeline steps. It offers three ways to find what you need:

    1. Select Image by Scenario — What do I need to do? Which image should I use?
    2. Find Image by Tool — I need a specific tool. Which images include it?
    3. Image Details — Full info for each image: registry, tags, tools, and usage boundaries.

    Note: All image addresses in this document use registry.alauda.cn:60070 as the example prefix. At runtime, this is automatically replaced with the actual registry address of your environment.

    TOC

    Select Image by ScenarioFind Image by ToolImage DetailsGeneralrun-scriptSource Controlgit-initglabBuildmavenpythonImage & ArtifactbuildahhelmSecurity & Compliancetrivysyftcosignsonarqube-scannersonarqube-shellsonarqube-cliDeploy & Operationskubectlkubectl-app-managerkustomize

    Select Image by Scenario

    Quick start: find your current pipeline step's responsibility and use the recommended image directly.

    CategoryScenarioRecommended ImageDescription
    Source ControlCode clone, checkout, submodulesgit-initDedicated git clone image with auth and submodule support
    GitLab MR / repo automationglabGitLab CLI for MR creation, comments, and merges
    BuildJava build, test, and packagemavenMaven + JDK 21
    Python scripts and testspythonPython + pip
    Image & ArtifactOCI image build and pushbuildahRootless build, no Docker daemon required
    Helm chart package and publishhelmIncludes oras, kubectl, yq
    Security & ComplianceImage/filesystem vulnerability scantrivyPre-loaded vulnerability database
    SBOM generationsyftIncludes cosign for optional signing
    Image signing and verificationcosignSupports keyless and attestation
    Code quality scansonarqube-scannerSonarQube Scanner + JDK 21
    Deploy & OperationsKubernetes resource deploymentkubectlkubectl + yq
    Application CRD managementkubectl-app-managerkubectl-application plugin + kubectl
    GitOps manifest renderingkustomizekustomize + yq + git
    GeneralScript execution, lightweight automationrun-scriptMinimal Alpine with bash/curl/tar

    Find Image by Tool

    Already know which tool you need? Find all images that include it and pick the one that best fits your scenario.

    ToolImages containing this tool
    bashrun-script cosign trivy glab sonarqube-shell helm kubectl kubectl-app-manager kustomize syft
    curlrun-script cosign trivy glab helm kubectl kubectl-app-manager syft
    jqcosign trivy glab helm kubectl kubectl-app-manager kustomize syft
    tarrun-script cosign trivy glab helm kubectl kubectl-app-manager syft
    gitgit-init glab kustomize sonarqube-scanner
    yqkubectl kubectl-app-manager kustomize helm
    kubectlkubectl kubectl-app-manager helm
    helmhelm (v4.1 / v3.18)
    orashelm
    kustomizekustomize
    cosigncosign syft
    trivytrivy
    syftsyft
    buildahbuildah
    glabglab
    sonar-scannersonarqube-scanner
    JDKmaven sonarqube-scanner
    Mavenmaven
    Pythonpython
    pippython

    Image Details

    Full address format: <registry>:<tag>, e.g. registry.alauda.cn:60070/devops/tektoncd/hub/kubectl:latest.

    General

    run-script

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/run-script
    Taglatest
    v3.21
    Main Toolsbash 5.x
    Bundled Toolscurl, tar
    Best ForGeneral script tasks, quick prototyping, lightweight automation
    Not RecommendedWhen Java/Go/Helm/Kustomize or other specialized toolchains are needed

    Source Control

    git-init

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/git-init
    Taglatest
    v1.1
    Main Toolsgit-init 1.1
    Bundled Toolsgit
    Best ForRepository clone, checkout, submodule handling, authenticated clone
    Not RecommendedBuild, scan, or deploy steps that don't involve code checkout

    glab

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/glab
    Taglatest
    v1.82
    Main Toolsglab 1.82
    Bundled Toolsgit, jq, curl
    Best ForGitLab MR, repo collaboration, GitLab automation
    Not RecommendedNon-GitLab pipeline steps

    Build

    maven

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/maven
    Taglatest
    v3.9-jdk21
    Main ToolsMaven 3.9, JDK 21
    Bundled Toolsshell runtime
    Best ForJava project build, test, package, and publish
    Not RecommendedNon-Java tech stacks, or when Gradle/SBT is required

    python

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/python
    Taglatest
    v3.13
    Main ToolsPython 3.13
    Bundled Toolspip
    Best ForPython script execution, testing, utility tasks
    Not RecommendedJava/Go build workflows

    Image & Artifact

    buildah

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/buildah
    Taglatest
    v1.33
    Main Toolsbuildah 1.42
    Bundled Toolsrootless build support
    Best ForOCI image build and push
    Not RecommendedVulnerability scanning, signing, or SBOM generation only

    helm

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/helm
    Taglatest
    v4.1
    v3.18
    Main Toolshelm 4.1 / 3.18
    Bundled Toolsoras 1.3, kubectl 1.33, yq 4.47
    Best ForHelm chart package, publish, install, and upgrade
    Not RecommendedGeneric resource patching or pure Kustomize workflows

    Security & Compliance

    trivy

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/trivy
    Taglatest
    v0.65
    Main Toolstrivy 0.65
    Bundled Toolsbash, curl, jq
    Best ForImage, filesystem, and manifest vulnerability scanning
    Not RecommendedWhen signing/verification or SBOM generation is needed

    syft

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/syft
    Taglatest
    v1.23
    Main Toolssyft 1.28
    Bundled Toolscosign 2.6
    Best ForSBOM generation, supply chain material output
    Not RecommendedSigning only (use cosign) or vulnerability scanning only (use trivy)

    cosign

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/cosign
    Taglatest
    v2.5
    Main Toolscosign 2.6
    Bundled Toolsbash, curl, jq
    Best ForImage/artifact signing, verification, attestation
    Not RecommendedWhen SBOM generation or vulnerability scanning is needed

    sonarqube-scanner

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/sonarqube-scanner
    Taglatest
    v8.0
    Main Toolssonar-scanner 8.0, JDK 21
    Bundled Toolsgit
    Best ForSonarQube code scanning and quality gate
    Not RecommendedScript execution, code checkout, or image build steps

    sonarqube-shell

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/sonarqube-shell
    Taglatest
    v4.7
    Main ToolsSonar script environment
    Bundled Toolsbash
    Best ForPre/post-processing scripts in SonarQube workflows
    Not RecommendedAs the main scanning image (use sonarqube-scanner instead)

    sonarqube-cli

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/sonarqube-cli
    Taglatest
    v4.7
    Main ToolsSonar helper CLI
    Bundled Toolsenv-entrypoint script
    Best ForAuxiliary processing and bridging steps in SonarQube workflows
    Not RecommendedAs a replacement for the main scanner or general-purpose pipeline base

    Deploy & Operations

    kubectl

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/kubectl
    Taglatest
    v1.33
    Main Toolskubectl 1.33
    Bundled Toolsyq 4.47
    Best ForKubernetes resource apply/patch/rollout and general operations
    Not RecommendedWhen Helm release workflow or Application CRD plugin is needed

    kubectl-app-manager

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/kubectl-app-manager
    Taglatest
    v0.1
    Main Toolskubectl-application 0.1, kubectl 1.33
    Bundled Toolsyq 4.47
    Best ForApplication CRD lifecycle management and release
    Not RecommendedGeneral Kubernetes operations (prefer kubectl)

    kustomize

    FieldContent
    Registryregistry.alauda.cn:60070/devops/tektoncd/hub/kustomize
    Taglatest
    v5.8
    Main Toolskustomize 5.8
    Bundled Toolsyq 4.47, git
    Best ForGitOps manifest rendering, overlays, and patch updates
    Not RecommendedDirect online cluster changes (prefer kubectl)

    Notes:

    • All images run as UID 65532 (non-root user).
    • latest usually points to the newest fixed tag.
    • latest may introduce major tool version changes in the future. Use fixed tags if stability is a priority.
    • Tool versions are at the major.minor level; patch versions are upgraded automatically with image updates.