Today during BazelCon 2023, Chainguard, in collaboration with Aspect.Dev, is announcing general availability of rules_apko, an open source plugin for Bazel, that makes it possible to build secure, minimal Wolfi-based container images using the popular Bazel build system. This plugin allows Bazel users to build OCI container images with the open source community un-distro, Wolfi, using their existing pipelines and workflows in Bazel.
Bazel is for fast, reproducible builds
Bazel is the open-sourced version of Google’s internal build tool, commonly used in multi-language monorepos to get faster and more reproducible builds. Bazel relies on plugins, called “rulesets,” to understand how to build images. Since Bazel can understand most languages, it’s a single tool that can produce images containing any application code. It also provides hermeticity and determinism guarantees, allowing a secure software supply chain to propagate from the package manager all the way to your production images.
Apko is for more secure, distroless container images based on the Wolfi un-distro
Apko is an open source project developed by Chainguard for producing minimal, low-CVE, distroless container images using the Wolfi un-distro. Apko is used to assemble distroless base images and Wolfi's extensive library of APK packages (or packages you create) into an OCI-compliant container image that is reproducible, and has a complete software bill of materials (SBOM).
rules_apko is a new Bazel plugin available in the Bazel Central Registry for building OCI images using Wolfi-base images and APKs within existing Bazel workflows.
Previously under Bazel, users had to build base images outside of Bazel and manually update them in the Bazel configuration, or use the non-performant and now deprecated `container_run_and_*` APIs in rules_docker.
rules_apko generates a fully locked and verifiable description of all transitive dependencies. Bazel then downloads individual APK packages needed for the requested build targets, and creates an OCI-format base image containing the installed packages. This base image can then be further extended by rules_oci to include binaries built from sources in the repository.
Benefits of using apko and Wolfi-base images with Bazel include:
Getting Started with rules_apko
rules_apko is available today and it's easy to get started building secure, minimal container images in Bazel:
Take a look at the https://github.com/chainguard-dev/rules_apko/tree/main/examples for more ideas of how to use rules_apko to create secure, reproducible container images for your enterprise applications.
To learn more about using rules_apko for distroless container images, check out the following additional resources:
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features and capabilities, please reach out to our team for more information.
Chainguard would like to extend our special thanks to the team at Aspect.dev for their assistance in developing rules_apko!