apk

How FOSSA detects, licenses, and reports Alpine Linux (apk) packages during container scanning.

1 min readUpdated Jul 9, 2026

Overview

The Alpine Package Manager (apk) installs system packages on Alpine Linux images. FOSSA detects apk packages when it scans a container image.

Note

apk packages are detected only during container scanning, not during a normal fossa analyze of a source repository.

How FOSSA identifies apk packages

A detected apk package is identified by its name, the Alpine distribution and version, its architecture, and its package version. Alpine versions are normalized to major.minor (for example, 3.15), so packages from 3.15.2 and 3.15.4 resolve against the same Alpine release line.

Licenses for apk packages are resolved from FOSSA's Knowledge service using each package's declared-license metadata, rather than being read out of the image at scan time. Alpine packages generally include complete license information.

Discovery

FOSSA looks for a file named installed under any **/apk/** path in the image, the apk installed-package database.

Analysis

FOSSA parses the database and reports each package's name, version, and architecture. For example, this record:

C:Q1Deb0jNytkrjPW4N/eKLZ43BwOlw=
P:musl
V:1.2.2-r7
A:x86_64
S:383152
I:622592
T:the musl c library (libc) implementation
U:https://musl.libc.org/
L:MIT
o:musl
m:Timo Teräs <timo.teras@iki.fi>
t:1632431095

is reported as the dependency musl at version 1.2.2-r7 for architecture x86_64. The package release suffix (-r7) is preserved, which matters for vulnerability matching: Alpine backports security fixes into new releases of the same version.

FAQ

How do I only analyze apk packages?

Specify the apkdb analysis target in a .fossa.yml file to exclude all other targets:

YAML
# .fossa.ymlversion: 3targets:  only:    - type: apkdb
© 2026 FOSSA, Inc.support@fossa.com