|
| 1 | +--- |
| 2 | +title: Validating build inputs with policies |
| 3 | +linkTitle: Validating builds |
| 4 | +description: "" |
| 5 | +weight: 10 |
| 6 | +params: |
| 7 | + sidebar: |
| 8 | + badge: |
| 9 | + color: green |
| 10 | + text: New |
| 11 | +--- |
| 12 | + |
| 13 | +<!-- diataxis explanation --> |
| 14 | + |
| 15 | +Building with Docker often involves downloading remote resources of some kind. |
| 16 | +These external dependencies are called **build inputs**: Docker images, Git |
| 17 | +repositories, remote files, and other artifacts your build pulls in. |
| 18 | + |
| 19 | +For example: |
| 20 | + |
| 21 | +- Pulling images from a registry |
| 22 | +- Cloning a source code repository |
| 23 | +- Fetching files from a server over HTTPS |
| 24 | + |
| 25 | +When consuming build inputs, it's a good idea to verify the contents are what |
| 26 | +you expect them to be. One way to do this is to use the `--checksum` option for |
| 27 | +the `ADD` Dockerfile instruction. This lets you verify the SHA256 checksum of a |
| 28 | +remote resource when pulling it into a build: |
| 29 | + |
| 30 | +```dockerfile |
| 31 | +ADD --checksum=sha256:c0ff3312345… https://example.com/archive.tar.gz / |
| 32 | +``` |
| 33 | + |
| 34 | +If the remote `archive.tar.gz` file does not match the checksum that the |
| 35 | +Dockerfile expects, the build fails. |
| 36 | + |
| 37 | +Checksums verify that content matches what you expect, but only for the `ADD` |
| 38 | +instruction. They don't tell you anything about where the content came from or |
| 39 | +how it was produced. You can't use checksums to enforce constraints like |
| 40 | +"images must be signed" or "dependencies must come from approved sources." |
| 41 | + |
| 42 | +## Build policies |
| 43 | + |
| 44 | +Buildx version 0.31.0 added support for **build policies**. Build policies are |
| 45 | +rules for securing your Docker build supply chain, and help protect against |
| 46 | +upstream compromises, malicious dependencies, and unauthorized modifications to |
| 47 | +your build inputs. |
| 48 | + |
| 49 | +With build policies, you can perform extended verifications on inputs, such as: |
| 50 | + |
| 51 | +- Docker images must use digest references (not tags alone) |
| 52 | +- Images must have provenance attestations and cosign signatures |
| 53 | +- Git tags are signed by maintainers with a PGP public key |
| 54 | +- All remote artifacts must use HTTPS and include a checksum for verification |
| 55 | + |
| 56 | +Build policies are defined in a declarative policy language, called Rego, |
| 57 | +created for the [Open Policy Agent (OPA)](https://www.openpolicyagent.org/). |
| 58 | +The following example shows a minimal build policy in Rego. |
| 59 | + |
| 60 | +```rego {title="Dockerfile.rego"} |
| 61 | +package docker |
| 62 | +
|
| 63 | +default allow := false |
| 64 | +
|
| 65 | +# Allow any local inputs for this build |
| 66 | +allow if input.local |
| 67 | +
|
| 68 | +# Allow images, but only if they have provenance attestations |
| 69 | +allow if { |
| 70 | + input.image.hasProvenance |
| 71 | +} |
| 72 | +
|
| 73 | +decision := {"allow": allow} |
| 74 | +``` |
| 75 | + |
| 76 | +If the Dockerfile associated with this policy references an image with no |
| 77 | +provenance attestation in a `FROM` instruction, the policy would be violated |
| 78 | +and the build would fail. |
| 79 | + |
| 80 | +## Use cases |
| 81 | + |
| 82 | +Build policies help you enforce security and compliance requirements on your |
| 83 | +Docker builds. Common scenarios where policies provide value: |
| 84 | + |
| 85 | +### Enforce base image standards |
| 86 | + |
| 87 | +Require all production Dockerfiles to use specific, approved base images with |
| 88 | +digest references. Prevent developers from using arbitrary images that haven't |
| 89 | +been vetted by your security team. |
| 90 | + |
| 91 | +### Validate third-party dependencies |
| 92 | + |
| 93 | +When your build downloads files, libraries, or tools from the internet, verify |
| 94 | +they come from trusted sources and match expected checksums or signatures. This |
| 95 | +protects against supply chain attacks where an upstream dependency is |
| 96 | +compromised. |
| 97 | + |
| 98 | +### Ensure signed releases |
| 99 | + |
| 100 | +Require that all dependencies - whether container images or downloaded files - |
| 101 | +have valid signatures from trusted parties. Use GPG signatures, Sigstore |
| 102 | +attestations, or GitHub attestations to verify authenticity. |
| 103 | + |
| 104 | +### Meet compliance requirements |
| 105 | + |
| 106 | +Some regulatory frameworks require evidence that you validate your build |
| 107 | +inputs. Build policies give you an auditable, declarative way to demonstrate |
| 108 | +you're checking dependencies against security standards. |
| 109 | + |
| 110 | +### Separate development and production rules |
| 111 | + |
| 112 | +Apply stricter validation for production builds while allowing more flexibility |
| 113 | +during development. The same policy file can contain conditional rules based on |
| 114 | +build context or target. |
| 115 | + |
| 116 | +## Get started |
| 117 | + |
| 118 | +Ready to start writing policies? The [Introduction](./intro.md) tutorial walks |
| 119 | +you through creating your first policy and teaches the Rego basics you need. |
| 120 | + |
| 121 | +For practical examples you can copy and adapt, see the [Example |
| 122 | +policies](./examples.md) library. |
0 commit comments