Announcing Bazel rules for extending Chainguard Images
Today during BazelCon 2023, Chainguard, in collaboration with Aspect.Dev, is announcing general availability of rules_apko, an open source plugin for Bazel, that makes it possible to build secure, minimal Wolfi-based container images using the popular Bazel build system. This plugin allows Bazel users to build OCI container images with the open source community un-distro, Wolfi, using their existing pipelines and workflows in Bazel.
Bazel is for fast, reproducible builds
Bazel is the open-sourced version of Google’s internal build tool, commonly used in multi-language monorepos to get faster and more reproducible builds. Bazel relies on plugins, called “rulesets,” to understand how to build images. Since Bazel can understand most languages, it’s a single tool that can produce images containing any application code. It also provides hermeticity and determinism guarantees, allowing a secure software supply chain to propagate from the package manager all the way to your production images.
Apko is for more secure, distroless container images based on the Wolfi un-distro
Apko is an open source project developed by Chainguard for producing minimal, low-CVE, distroless container images using the Wolfi un-distro. Apko is used to assemble distroless base images and Wolfi's extensive library of APK packages (or packages you create) into an OCI-compliant container image that is reproducible, and has a complete software bill of materials (SBOM).
Introducing rules_apko
rules_apko is a new Bazel plugin available in the Bazel Central Registry for building OCI images using Wolfi-base images and APKs within existing Bazel workflows.
Previously under Bazel, users had to build base images outside of Bazel and manually update them in the Bazel configuration, or use the non-performant and now deprecated `container_run_and_*` APIs in rules_docker.
rules_apko generates a fully locked and verifiable description of all transitive dependencies. Bazel then downloads individual APK packages needed for the requested build targets, and creates an OCI-format base image containing the installed packages. This base image can then be further extended by rules_oci to include binaries built from sources in the repository.
Benefits of using apko and Wolfi-base images with Bazel include:
Supply chain security assurances in Bazel that the APK packages fetched have the same integrity hashes as the lock file.
Bazel can build any application code in any language and add to the image.
Bazel coordinates test runners where container images are required as inputs.
Bazel can enable fully-offline (“air gapped”) builds with rules_apko.
Assurances that the resulting image is fully reproducible and has a complete SBOM.
Getting Started with rules_apko
rules_apko is available today and it's easy to get started building secure, minimal container images in Bazel:
Run the
apko resolve
command to produce theapko.lock.json file
. Note: the resolve command is available in the newest release of apko.
Follow the install instructions to add rules_apko to your Bazel project.
Call the
translate_apko_lock
Bazel API to import theapko.lock.json
file so that Bazel can download and verify the integrity of remote assets.
Add
apko_image
targets to your BUILD files to create base images.
Take a look at the https://github.com/chainguard-dev/rules_apko/tree/main/examples for more ideas of how to use rules_apko to create secure, reproducible container images for your enterprise applications.
Resources
To learn more about using rules_apko for distroless container images, check out the following additional resources:
rules_apko project on GitHub
rules_apko documentation
Bazel rules for apko documentation on Chainguard Academy
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features and capabilities, please reach out to our team for more information.
Chainguard would like to extend our special thanks to the team at Aspect.dev for their assistance in developing rules_apko!
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.