Google’s Open-Source Bazel Plugin Enhances Container Image Security
Google last week announced the general availability of ‘rules_oci’, an open-source Bazel plugin for building container images.
Google has released an open-source plugin for Bazel, the build and test tool, which enhances the integrity of the supply chain by using integrity hashes of dependencies. Bazel is utilized by Google to develop Distroless base images for Docker, which are designed to boost supply chain security by being minimal and containing only the necessary components for running applications.
Google explained this as following: “Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications”.
By following the news on cloud security, Google has announced that its new ruleset, rules_oci, will replace rules_docker for building container images. This update promises several improvements, especially related to security.
The latest Bazel plugin from Google offers several security-related enhancements, such as the ability to utilize reliable third-party toolchains, no dependency on running a docker daemon on the device, and a lack of language-specific rules. Additionally, it enables the hassle-free use of private registries and provides a software bill of materials (SBOM) to users, allowing them to verify the origin of dependencies, further increasing supply chain security.
Google Notes says: “In the end, rules_oci allowed us to modernize the Distroless build while also adding necessary supply chain security metadata to allow organizations to make better decisions about the images they consume,”
In addition to the above, the Bazel plugin for container image security offers several other useful features, such as support for the native signing of images and multi-platform images, improved caching and fetching mechanisms, and the ability to provide a signed attestation for Distroless images that includes SBOMs. It also supports the use of trusted third-party toolchains, eliminating the need to run a docker daemon on the local machine, and does not have language-specific rules. Furthermore, the plugin enables the transparent use of private registries, making it easier to verify the source of dependencies.