Docker BuildKit now supports supply chain security practices and cache backends
Published on Jan 30, 2023
The Docker backend for building images, BuildKit, has been updated to version 0.11 by Docker. There are a number of new features included in this release, including the ability to create an attestation, improvements to reproducible builds, and support for cloud cache backends.
In this release, two types of attestations are supported: software bill of materials (SBOMs) and SLSA provenance. A SBOM is a list of the components included in an image. Although this new feature is similar to Docker’s sbom, it allows image authors to embed the results within the image.
A SLSA provenance is another form of supported attestation. The Supply Chain Levels for Software Artifacts (SLSA) is a security framework that provides standards and controls related to supply chain security. The provenance of an artifact is a collection of metadata about the process by which the artifact was created, including information about ownership, sources, dependencies, as well as the build process used.
As part of the provenance built by Buildx and BuildKit, metadata such as links to source code, build timestamps, and inputs are included.
Additionally, provenance generation provides an optional mode parameter that can be set to include additional details. In max mode, all of the above details are included in addition to a complete base64 encoded Dockerfile and source maps.
In the past, producing bit-for-bit accurate reproducible builds has been challenging due to differences in timestamps between runs. SOURCE_DATE_EPOCH is a new build argument introduced in this release, which, if set, will cause BuildKit to set the timestamps in the image configuration and layers to the specified Unix time.
BuildKit now supports both Amazon S3 and Azure Blob Storage as cache backends. In environments such as continuous integration pipelines, where runners may be ephemeral, this enhances performance.
The Docker blog and the changelog provide more information about the release. Docker Community Slack can be accessed through the #lsetuk channel.
AWS Lambda Now Has Support for Node.js 18 Runtime
Node.js version 18 is now supported in AWS’ Function as a Service (FaaS), AWS Lambda, and is in…
Amazon Athena Now Supports Apache Spark Engine
Athena now supports Apache Spark, an open-source distributed processing system for…