Docker has added supply chain security features to BuildKit, the build component of the Docker Engine, including provenance attestation and the ability to generate SBOMs (Software Bill of Material).
What we call Docker Engine has multiple components, one of which is Moby BuildKit, which has many additional features compared to the original Docker build. Access to these features is generally via a plugin called docker-buildx, which adds a buildx command to the Docker CLI (command line interface). Docker Desktop installs this automatically.
BuildKit is updated frequently – at the time of writing the latest is 0.11.2, released on January 26 – but the big change so far this year came in version 0.11 earlier in the month.
Some key new features relate to the security of the software supply chain. The first is SLSA attestation, where SLSA is “Supply chain levels for software artifacts,” described as a security framework and check-list of standards and controls. SLSA is a cross-vendor project supported by organizations including Google, CNCF, Datadog, VMware and Intel.
BuildKit 0.11 can automatically generate an SBOM (Software Bill of Materials), which is a list of the components used in the container image including name, version, license type, authors, and an identifier. SBOMs are generated using the SPDX (Software Package Data Exchange) standard, a Linux Foundation project. SBOM scanning is not magic but relies on a scanner plugin, which by default is based on Anchore Syft. The docs also note that: “By default, only the final build result is scanned – because of this, the resulting SBOM will not include build-time dependencies that may be installed in separate stages or the build context.”
BuildKit SBOM support is additional to the existing, but experimental, docker sbom plug-in.
Another change is that the timestamp can be set to the Unix epoch, making it possible to reproduce the build with the exact same timestamp. Reproducible builds are also important for confidence in the integrity of the build chain.
Also new in BuildKit 0.11 is cloud cache support. Buildx already supported caching of builds but support for AWS S3 and Azure Blog Storage has now been added.