Google has released ‘rules_oci’, an open source Bazel plugin for building container images that includes features related to security. The new plugin can use trusted third-party toolchains, transparent use of private registries, and provides users with a software bill of materials (SBOM), so they can verify the source of dependencies.
The plugin also supports native signing of images, native support for oci indexes (multi-platform images), improved caching and fetching, and a signed attestation for Distroless images.
Bazel is a build and test tool that improves supply chain trust by using dependencies’ integrity hashes. Google uses this tool to create Distroless base images for Docker, which are meant to improve supply chain security as they are minimal base images that only include what is necessary for applications to run.
According to Google, “using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications”.
Rules_oci is designed to replace rules_docker, which was previously used for building container images. The new plugin allows users to modernize the Distroless build while also adding necessary supply chain security metadata to allow organizations to make better decisions about the images they consume. The plugin does not include language-specific rules, does not require running a docker daemon already on the machine, and can use trusted third-party toolchains. Google has provided a guide to help organizations migrate from rules_docker to the new ruleset.
Google’s focus on improving supply chain security through the use of minimal base images and plugins like rules_oci highlights the increasing importance of security in the software development process.
As supply chain attacks become more prevalent and sophisticated, companies are looking for ways to improve their security posture, and tools like rules_oci offer a way to do that by reducing the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications.
