Google’s Bazel build system supports developers in creating container images in a more secure and efficient manner. Developers can use Starlark, a high-level build language, to create rules instructing Bazel on what to do, and related rules are combined into a ruleset for creating binaries and running tests. The new rules_oci ruleset is a modernized process for creating Distroless builds, reducing risks associated with security vulnerabilities in the components and addressing governance issues in the software supply chain. The new ruleset adds supply chain security metadata to the container images, allowing developers to get a software bill of materials showing what went into the container, allowing organizations to make informed decisions about images they are using.
### Bazel Build System Simplifies Building Container Images
The Bazel build system makes it simpler and more secure to build container images with the new rules_oci ruleset. Developers can create Distroless builds, reducing the burden of managing risks associated with security vulnerabilities. The Bazel build system supports multiple languages and platforms, allowing developers to use Starlark, a high-level build language, to create rules for creating binaries and running tests.
### Rules_OCI Modernizes Container Image Creation
The new rules_oci ruleset modernizes the process for creating Distroless builds by adding supply chain security metadata to the container images. Because Bazel supports managing and caching dependencies by their integrity hash, it can make assurances about the supply chain. Developers can get a software bill of materials showing what went into the container, allowing organizations to make informed decisions about the images they are using.
### Migrating from Rules_Docker to Rules_OCI
The new rules_oci ruleset allows developers to create Docker containers instead of the older rules_docker ruleset, which is now in maintenance mode. The new ruleset allows developers to create Docker containers even if a docker daemon is not already installed on the machine. Rules_oci is runtime agnostic when it comes to where it looks for config files for registry authorization, unlike rules_docker which works with standard Docker paths for configuration. Aspects created a migration guide to help organizations make the transition from rules_docker to rules_oci.
### Code Signing Capability Added
The new rules_oci now supports code signing, which allows users to verify that the container image was not modified by someone else after it was created. The previous rules_docker did not have the code signing capability, according to Sahin Yort, a software engineer at Bazel consultancy Aspect Development.
In conclusion, the Bazel build system and new rules_oci ruleset have significantly enhanced container security. With the ability to create Distroless builds, reduce risks associated with security vulnerabilities, and a migration guide to assist with transitioning to the new ruleset, developers can be confident that their container images are secure.
<< photo by Fabien Maurin >>
