chainguard-dev · matthewhelmke · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -6,7 +6,7 @@ aliases:
 type: "article"
 description: "An overview of how to work with Chainguard's Private APK Repositories."
 date: 2025-02-21T11:07:52+02:00
-lastmod: 2025-02-21T11:07:52+02:00
+lastmod: 2026-03-10T08:07:52+02:00
 draft: false
 tags: ["Chainguard Containers"]
 images: []
@@ -28,7 +28,7 @@ For example, say your organization has access to the [Chainguard MySQL container
 Chainguard's private APK repositories are available to all Chainguard Containers customers.
 
 
-## Your Repository Address
+## Your repository address
 
 Your private APK repository will be available at a URL like the following:
 
@@ -105,7 +105,7 @@ apk update
 Following that, you can proceed to search and install packages from your private APK repository.
 
 
-## Searching for and Installing Packages
+## Searching for and installing packages
 
 As an example of how you can search for and install packages from these private repositories, this section will install `wget`. However, you could also try this out with any apk package that is included in any of the Chainguard container images your organization has access to.
 
@@ -214,7 +214,7 @@ wget policy:
 As this output shows, the `wget` apk package is installed in the container.
 
 
-## Using Private APK Repositories with Apko Builds
+## Using Private APK Repositories with apko builds
 
 You can also use your private APK repository with [apko](/open-source/build-tools/apko/overview/) builds. One of the advantages of this method is that you can build distroless images that include only the apk packages you need in the final image. 
 
@@ -265,9 +265,65 @@ You'll get output similar to the following, indicating that the `wget` package w
 . . .
 ```
 
+
+## Using Private APK Repositories with Bazel rules for apko
+
+You can also use your private APK repository with [Bazel](https://bazel.build/) using
+[rules_apko](https://github.com/chainguard-dev/rules_apko), which wraps
+`apko` for use in Bazel builds. Like the `apko` approach, you get the
+advantage of building distroless images that include only the APK packages
+you need in the final image, with the additional benefits of Bazel's
+hermetic, reproducible, and cached build system.
+
+As with the previous examples, you'll need to provide the `HTTP_AUTH`
+environment variable containing your Chainguard token to the `apko` runtime
+building the image:
+
+```shell
+export HTTP_AUTH="basic:apk.cgr.dev:user:$(chainctl auth token --audience apk.cgr.dev)"
+```
+
+In your `apko.yaml`, reference your private Chainguard APK repository:
+```shell
+cat > apko.yaml <<EOF
+contents:
+  repositories:
+  - https://apk.cgr.dev/$ORGANIZATION
+  packages:
+  - wget
+
+archs:
+- x86_64
+- aarch64
+EOF
+```
+
+With `HTTP_AUTH` set and your `apko.yaml` in place, run your Bazel build:
+
+```shell
+build //:my_image
+```
+
+You'll get output similar to the following, indicating that the `wget`
+package was installed using the private APK repository:
+
+```output
+INFO: Analyzed target //:my_image (123 packages loaded, 656 targets configured).
+INFO: From Action my_image:
+2026/03/12 12:46:27 INFO installing wolfi-baselayout (20230201-r28) arch=x86_64
+2026/03/12 12:46:27 INFO installing ca-certificates-bundle (20251003-r4) arch=x86_64
+2026/03/12 12:46:27 INFO installing ld-linux (2.43-r2) arch=x86_64
+2026/03/12 12:46:27 INFO installing glibc (2.43-r2) arch=x86_64
+2026/03/12 12:46:27 INFO installing wget (1.25.0-r0) arch=x86_64
+INFO: Found 1 target...
+Target //:my_image up-to-date:
+  bazel-bin/my_image
+INFO: Build completed successfully, 128 total actions
+```
+
 <a id="pull-token-automation"></a>
 
-## Pull Token for Authentication in Automated Workflows
+## Pull token for authentication in automated workflows
 
 Use a pull token with a custom time to live (TTL) to authenticate to your
 private APK repository. The following example creates a pull token with a TTL of