Enterprises that run containers on their public, private, and hybrid clouds want to know that those images are secure. Os-explode is a tool that sets of the containers to be scanned by a scanning container such as the OpenSCAP container. Os-explode watches an OpenShift image stream for images being pushed up to a local registry. It then takes the layers from the images stream and commits each layer into an OSTree repository.

OSTree is a tool that combines a “git-like” model for committing and downloading bootable fiesystem trees, along with a layer for deploying them and managing the bootloader configuration. It was designed so that package managers, system upgrade tools, etc. can use OSTree as a “deduplicating hardlink store.” Recently, OSTree has become popular for use with containers. However, many platforms that work with container do so in Go. This library provides a set of Go bindings for OSTree that mimic the command line as much as possible so as it make it easy for container teams to use OSTree.

One of the libraries that makes Go so powerful is cgo, a set of bindings for calling C code from Go. This is called a Foreign Function Interface (or FFI) and despite the versatility it adds to Go, it can be a tricky library to use. To help ease new users through some of the trickier aspects of cgo, here are some general best practices. Structs Handing C structs is one of the most common issues with cgo code.