apko is a tool from Chainguard that builds OCI container images declaratively from a YAML file and a set of APK packages. There is no Dockerfile, no RUN steps, and no container runtime involved in the build — apko resolves the package list, fetches the APKs, and writes a tarball that is already a valid OCI image.
Because the build is purely a package install with no arbitrary shell execution, apko produces bit-for-bit reproducible images: the same config and package versions give the exact same image hash on any machine. Every build also generates an SBOM in SPDX format and sets the image creation timestamp to the epoch (or a user-specified value) so layer digests are stable. It is the tool Chainguard uses to produce their Wolfi-based distroless images, and it is typically paired with melange, which builds the APKs themselves from source.
In the image build landscape apko sits alongside ko (for Go binaries), BuildKit (general Dockerfile builds), and Buildpacks. Its niche is supply-chain focused base images: minimal, reproducible, SBOM-attested, and free of the build tools and package managers that inflate attack surface in traditional Alpine or Debian images. If you are not using Wolfi or Alpine APK packages, apko is not the right tool.