The Innovative Bazel Ruleset Empowers Developers to Construct Container Images with Better Security

Google has introduced an advanced ruleset within Bazel, an open-source testing and build tool, enabling developers to construct Docker images and generate a comprehensive software bill of materials detailing the container’s contents.

https://twitter.com/aspect_dev/status/1654526132644093952

What’s the prodigy of Bazel?

Simplifying and enhancing the container image creation process, Bazel supports diverse languages and platforms. 

• Developers define rules that guide Bazel’s actions by utilizing the user-friendly and high-level build language called Starlark. 
• These rules specify input files and desired output types, such as executables or library files. Groups of related rules are combined into rulesets, encompassing various functionalities like binary creation and test execution.
• Bazel facilitates the creation of Distroless builds, which are minimal base images containing only the essential components required by the application in the runtime container. 
• By reducing the inclusion of unnecessary elements, Distroless builds to alleviate the burden of managing security vulnerabilities and contribute to better software supply chain governance.

Revolutionary oci 

The new rules_oci ruleset revolutionizes the creation of Distroless builds by 

• integrating supply chain security metadata into the container images. 

This update, announced as generally available by Appu Goundan from Google’s Open Source Security Team, leverages Bazel’s capability to manage and cache dependencies based on their integrity hash. 

As a result, 

• developers receive a comprehensive software bill of materials, providing insights into the container’s composition and enabling organizations to make informed decisions about image usage.
• Codesigning ensures that the container image remains unaltered after the developer’s initial creation, providing users with verification and integrity assurances.
• Create Docker containers without requiring a pre-installed Docker daemon on the machine, 
• surpassing the capabilities of the previous rules_docker ruleset, which is now in maintenance mode. 

To aid organizations in transitioning from rules_docker to rules_oci, a Migration guide has been provided.

Thought to conclude

Introducing Bazel’s new ruleset brings significant advancements for developers in building secure container images. This development marks a positive step forward in the realm of containerization and reinforces the importance of incorporating strong security practices throughout the software development lifecycle.