|
| 1 | +--- |
| 2 | +title: Validating build inputs with policies |
| 3 | +linkTitle: Validating builds |
| 4 | +description: Secure your Docker builds by validating images, Git repositories, and dependencies with build policies |
| 5 | +keywords: build policies, opa, rego, docker security, supply chain, attestations |
| 6 | +weight: 70 |
| 7 | +params: |
| 8 | + sidebar: |
| 9 | + badge: |
| 10 | + color: blue |
| 11 | + text: Experimental |
| 12 | +--- |
| 13 | + |
| 14 | +Building with Docker often involves downloading remote resources. These |
| 15 | +external dependencies, such as Docker images, Git repositories, remote files, |
| 16 | +and other artifacts, are called build inputs. |
| 17 | + |
| 18 | +For example: |
| 19 | + |
| 20 | +- Pulling images from a registry |
| 21 | +- Cloning a source code repository |
| 22 | +- Fetching files from a server over HTTPS |
| 23 | + |
| 24 | +When consuming build inputs, it's a good idea to verify the contents are what |
| 25 | +you expect them to be. One way to do this is to use the `--checksum` option for |
| 26 | +the `ADD` Dockerfile instruction. This lets you verify the SHA256 checksum of a |
| 27 | +remote resource when pulling it into a build: |
| 28 | + |
| 29 | +```dockerfile |
| 30 | +ADD --checksum=sha256:c0ff3312345… https://example.com/archive.tar.gz / |
| 31 | +``` |
| 32 | + |
| 33 | +If the remote `archive.tar.gz` file does not match the checksum that the |
| 34 | +Dockerfile expects, the build fails. |
| 35 | + |
| 36 | +Checksums verify that content matches what you expect, but only for the `ADD` |
| 37 | +instruction. They don't tell you anything about where the content came from or |
| 38 | +how it was produced. You can't use checksums to enforce constraints like |
| 39 | +"images must be signed" or "dependencies must come from approved sources." |
| 40 | + |
| 41 | +Build policies solve this problem. They let you define rules that validate all |
| 42 | +your build inputs, enforcing requirements like provenance attestations, |
| 43 | +approved registries, and signed Git tags across your entire build process. |
| 44 | + |
| 45 | +## Prerequisites |
| 46 | + |
| 47 | +Build policies is currently an experimental feature. To try it out, you'll |
| 48 | +need: |
| 49 | + |
| 50 | +- Buildx 0.31.0 or later - Check your version: `docker buildx version` |
| 51 | +- BuildKit 0.27.0 or later - Verify with: `docker buildx inspect --bootstrap` |
| 52 | + |
| 53 | +If you're using Docker Desktop, ensure you're on a version that includes these |
| 54 | +updates. |
| 55 | + |
| 56 | +## Build policies |
| 57 | + |
| 58 | +Buildx version 0.31.0 added support for build policies. Build policies are |
| 59 | +rules for securing your Docker build supply chain, and help protect against |
| 60 | +upstream compromises, malicious dependencies, and unauthorized modifications to |
| 61 | +your build inputs. |
| 62 | + |
| 63 | +Build policies let you enforce extended verifications on inputs used to build |
| 64 | +your projects, such as: |
| 65 | + |
| 66 | +- Docker images must use digest references (not tags alone) |
| 67 | +- Images must have provenance attestations and cosign signatures |
| 68 | +- Git tags are signed by maintainers with a PGP public key |
| 69 | +- All remote artifacts must use HTTPS and include a checksum for verification |
| 70 | + |
| 71 | +Build policies are defined in a declarative policy language, called Rego, |
| 72 | +created for the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/). |
| 73 | +The following example shows a minimal build policy in Rego. |
| 74 | + |
| 75 | +```rego {title="Dockerfile.rego"} |
| 76 | +package docker |
| 77 | +
|
| 78 | +default allow := false |
| 79 | +
|
| 80 | +# Allow any local inputs for this build |
| 81 | +# For example: a local build context, or a local Dockerfile |
| 82 | +allow if input.local |
| 83 | +
|
| 84 | +# Allow images, but only if they have provenance attestations |
| 85 | +allow if { |
| 86 | + input.image.hasProvenance |
| 87 | +} |
| 88 | +
|
| 89 | +decision := {"allow": allow} |
| 90 | +``` |
| 91 | + |
| 92 | +If the Dockerfile associated with this policy references an image with no |
| 93 | +provenance attestation in a `FROM` instruction, the policy would be violated |
| 94 | +and the build would fail. |
| 95 | + |
| 96 | +## How policies work |
| 97 | + |
| 98 | +When you run `docker buildx build`, Buildx: |
| 99 | + |
| 100 | +1. Resolves all build inputs (images, Git repos, HTTP downloads) |
| 101 | +2. Looks for a policy file matching your Dockerfile name (e.g., |
| 102 | + `Dockerfile.rego`) |
| 103 | +3. Evaluates each input against the policy before the build starts |
| 104 | +4. Allows the build to proceed only if all inputs pass the policy |
| 105 | + |
| 106 | +Policies are written in Rego (Open Policy Agent's policy language). You don't |
| 107 | +need to be a Rego expert - the [Introduction](./intro.md) tutorial teaches you |
| 108 | +everything needed. |
| 109 | + |
| 110 | +Policy files live alongside your Dockerfile: |
| 111 | + |
| 112 | +```text |
| 113 | +project/ |
| 114 | +├── Dockerfile |
| 115 | +├── Dockerfile.rego |
| 116 | +└── src/ |
| 117 | +``` |
| 118 | + |
| 119 | +No additional configuration is needed - Buildx automatically finds and loads |
| 120 | +the policy when you build. |
| 121 | + |
| 122 | +## Use cases |
| 123 | + |
| 124 | +Build policies help you enforce security and compliance requirements on your |
| 125 | +Docker builds. Common scenarios where policies provide value: |
| 126 | + |
| 127 | +### Enforce base image standards |
| 128 | + |
| 129 | +Require all production Dockerfiles to use specific, approved base images with |
| 130 | +digest references. Prevent developers from using arbitrary images that haven't |
| 131 | +been vetted by your security team. |
| 132 | + |
| 133 | +### Validate third-party dependencies |
| 134 | + |
| 135 | +When your build downloads files, libraries, or tools from the internet, verify |
| 136 | +they come from trusted sources and match expected checksums or signatures. This |
| 137 | +protects against supply chain attacks where an upstream dependency is |
| 138 | +compromised. |
| 139 | + |
| 140 | +### Ensure signed releases |
| 141 | + |
| 142 | +Require that all dependencies have valid signatures from trusted parties. |
| 143 | + |
| 144 | +- Check GPG signatures for Git repositories you clone in your builds |
| 145 | +- Verify provenance attestation signatures with Sigstore |
| 146 | + |
| 147 | +### Meet compliance requirements |
| 148 | + |
| 149 | +Some regulatory frameworks require evidence that you validate your build |
| 150 | +inputs. Build policies give you an auditable, declarative way to demonstrate |
| 151 | +you're checking dependencies against security standards. |
| 152 | + |
| 153 | +### Separate development and production rules |
| 154 | + |
| 155 | +Apply stricter validation for production builds while allowing more flexibility |
| 156 | +during development. The same policy file can contain conditional rules based on |
| 157 | +build context or target. |
| 158 | + |
| 159 | +## Get started |
| 160 | + |
| 161 | +Ready to start writing policies? The [Introduction](./intro.md) tutorial walks |
| 162 | +you through creating your first policy and teaches the Rego basics you need. |
| 163 | + |
| 164 | +For practical usage guidance, see [Using build policies](./usage.md). |
| 165 | + |
| 166 | +For practical examples you can copy and adapt, see the [Example |
| 167 | +policies](./examples.md) library. |
0 commit comments