Docker BuildKit Adds Support for Supply Chain Security Practices and Cache Backends

MMS Founder
MMS Matt Campbell

Article originally posted on InfoQ. Visit InfoQ

Docker has released version 0.11 of BuildKit, the Docker backend for building images. The release adds a number of new features including attestation creation, reproducible build improvements, and cloud cache backend support.

This release adds support for two types of attestations: software bill of materials (SBOMs) and SLSA provenance. An SBOM is a record of the components that were included within the image. While this new support is similar to docker sbom it allows image authors to embed the results into the image. Building an SBOM can be done using the --sbom flag:

$ docker buildx build --sbom=true -t / --push .

An SBOM can be inspected using the imagetools subcommand. The following command would list all the discovered dependencies within the moby/buildkit image:

$ docker buildx imagetools inspect moby/buildkit:latest --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name }}{{ end }}'
github.com/Azure/azure-sdk-for-go/sdk/azcore
github.com/Azure/azure-sdk-for-go/sdk/azidentity
github.com/Azure/azure-sdk-for-go/sdk/internal
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob
...

The other form of supported attestation is an SLSA provenance. The Supply chain Levels for Software Artifacts (SLSA) is a security framework providing standards and controls related to supply chain security. Provenance is metadata about how the artifact was built including information on ownership, sources, dependencies, and the build process used.

The provenance built by Buildx and BuildKit includes metadata such as links to source code, build timestamps, and the inputs used during the build process. A Provenance attestation can be created by enabling the new --provenance flag:

$ docker buildx build --provenance=true -t / --push .

As with SBOMs, imagetools can be used to query the provenance:

$ docker buildx imagetools inspect moby/buildkit:latest --format '{{ json (index .Provenance "linux/amd64").SLSA.invocation.configSource }}'
{
  "digest": {
    "sha1": "830288a71f447b46ad44ad5f7bd45148ec450d44"
  },
  "entryPoint": "Dockerfile",
  "uri": "https://github.com/moby/buildkit.git#refs/tags/v0.11.0"
}

Provenance generation also includes an optional mode parameter that can be set to include additional details. In max mode, all the above details are included along with the exact steps taken to produce the image, a full base64 encoded version of the Dockerfile, and source maps.

Previously, producing bit-for-bit accurate reproducible builds has been a challenge due to timestamp differences between runs. This release introduces a new SOURCE_DATE_EPOCH build argument, that if set, will cause BuildKit to set the timestamps in the image config and layers to the specified Unix timestamp.

BuildKit now has support for using both Amazon S3 and Azure Blob Storage as cache backends. This helps with performance when building in environments, such as CI pipelines, where runners may be ephemeral. The backends can be specified using the new --cache-to and --cache-from flags:

$ docker buildx build --push -t / 
  --cache-to type=s3,region=,bucket=,name=[,parameters...] 
  --cache-from type=s3,region=,bucket=,name= .
 
$ docker buildx build --push -t / 
  --cache-to type=azblob,name=[,parameters...] 
  --cache-from type=azblob,name=[,parameters...] .

More details about the release can be found on the Docker blog and within the changelog. Questions and issues can be brought to the #buildkit channel on the Docker Community Slack.

About the Author

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.