This repository hosts the Public Base Image used by the SwapLab Framework7 Builder Service.
At SwapLab, we believe in Supply Chain Transparency. While our proprietary build logic (build-engine) remains private to protect our intellectual property, the environment in which your Framework7 projects are built is open for public audit.
This image (swaplab-engine/framework7-core) serves as the foundation for our build pipeline. It contains the operating system, SDKs, Framework7 CLI, Cordova tools, and security scanners ensuring a stable and secure build environment for your UI-first hybrid applications.
This image is built on top of Ubuntu 22.04 (Jammy) and includes the following pre-configured environment:
| Component | Details | Purpose |
|---|---|---|
| Android SDK | Platform 35, Build Tools 35.0.0 | Compiling Android Apps |
| Gradle | Version 8.11.1 | Android Build System |
| Node.js | v20.x (LTS) | JavaScript Runtime |
| Framework7 CLI | Latest (Global) | F7 Project Management |
| Cordova CLI | Latest (Global) | Native Bridge & Compilation |
| Ruby & CocoaPods | Latest | iOS Dependency Management |
At SwapLab, we believe developers should have the freedom to build without restrictions. We do not rely on a manually managed "whitelist" of allowed plugins. You are free to use any npm package, Framework7 module, or Cordova plugin required for your project.
To make this "Unlimited Ecosystem" safe, we employ a rigorous Automated Security Gate instead of manual reviews.
Every build runs through a real-time security gauntlet using industry-standard tools:
- ClamAV: Scans the entire filesystem for malware, viruses, and trojans.
- Trivy: Performs Software Composition Analysis (SCA) to detect known CVEs in your dependencies.
- Semgrep: Performs Static Application Security Testing (SAST) to catch insecure coding patterns in your JS/TS/Vue/Svelte/React code.
If any of these scanners detect a CRITICAL threat, the build process is IMMEDIATELY ABORTED. This protects your project, your users, and our infrastructure.
To ensure transparency, the specific reason for any security-related failure is logged publicly (anonymized) on our Security Dashboard. 📊 Live Dashboard: security-stats.swaplab.net
While our Integrated Scanners provide a robust layer of defense, no automated system is 100% accurate. Automated tools may occasionally miss obfuscated threats or zero-day vulnerabilities (False Negatives).
Therefore, security is a shared responsibility:
- Our Role: We provide a hardened, scanned environment and block known threats.
- Your Role: You must ensure that every dependency, plugin, or library you include in your
package.jsoncomes from a trusted and verified source.
SwapLab does not audit the internal code of 3rd-party plugins or UI libraries you choose to install. Please exercise due diligence when selecting community-maintained packages.
By using SwapLab services and this build environment, you agree to our policies. Please review the documents below for detailed information regarding data handling, repository access, and usage terms.
- 📄 Privacy Policy Read Privacy Policy
- ⚖️ Terms and Conditions Read Terms & Conditions
- 🔐 Repository Permissions View Repository Permissions Policy
You can pull and inspect this image directly from the GitHub Container Registry to verify its contents match this documentation:
docker pull ghcr.io/swaplab-engine/framework7-core:latestThe Base Environment (Dockerfile configurations, OS setup, SDK installation) is provided under the MIT License, allowing for transparency and auditability.
The Build Engine Binary (build-engine) contained within the final distributed image is Proprietary Software owned by SwapLab.
By pulling and using these images, you agree to the SwapLab Terms & Conditions. Reverse engineering, decompiling, or disassembling the proprietary build executables is strictly prohibited.
SwapLab is built and maintained by EMI (EMI-INDO), a dedicated developer in the Hybrid Mobile App ecosystem.
This service was built to solve the real-world build problems I faced while developing plugins and games.
- Cordova Plugins: I maintain various open-source Cordova Plugins on GitHub.
- Game Assets: Verified seller of Construct 3 Addons.
- Community: Active member of the Construct Community Forums.
Made with ❤️ by the SwapLab Engineering Team