Google last week announced the general availability of ‘rules_oci’, an open source Bazel plugin for building container images.
Bazel improves supply chain trust by using dependencies’ integrity hashes. Google uses this build and test tool for creating Distroless base images for Docker.
Distroless images too are meant to improve supply chain security, as they are minimal base images that include only what is necessary for applications to run.
“Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications,” Google explains.
According to the internet giant, rules_oci, the new ruleset that replaces rules_docker, which was previously used for building container images, provides numerous improvements, including features related to security.
The new plugin can use trusted third-party toolchains, does not require running a docker daemon already on the machine, and does not include language-specific rules.
It also allows for the transparent use of private registries, and provides users with a software bill of materials (SBOM), so they can verify the source of dependencies.
The plugin also supports native signing of images, native support for oci indexes (multi-platform images), improved caching and fetching, and a signed attestation for Distroless images, which includes SBOMs.
“In the end, rules_oci allowed us to modernize the Distroless build while also adding necessary supply chain security metadata to allow organizations to make better decisions about the images they consume,” Google notes.
On Friday, the internet giant announced that version 1.0 of rules_oci is now generally available, accompanied by a guide to help organizations migrate from rules_docker to the new ruleset.