Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Contact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
Product

Announcing Bazel rules for extending Chainguard Images

Adam Dawson, Principal Product Manager at Chainguard and Alex Eagle, Aspect
October 24, 2023
copied

Today during BazelCon 2023, Chainguard, in collaboration with Aspect.Dev, is announcing general availability of rules_apko, an open source plugin for Bazel, that makes it possible to build secure, minimal Wolfi-based container images using the popular Bazel build system. This plugin allows Bazel users to build OCI container images with the open source community un-distro, Wolfi, using their existing pipelines and workflows in Bazel.

Bazel is for fast, reproducible builds

Bazel is the open-sourced version of Google’s internal build tool, commonly used in multi-language monorepos to get faster and more reproducible builds. Bazel relies on plugins, called “rulesets,” to understand how to build images. Since Bazel can understand most languages, it’s a single tool that can produce images containing any application code. It also provides hermeticity and determinism guarantees, allowing a secure software supply chain to propagate from the package manager all the way to your production images.

Apko is for more secure, distroless container images based on the Wolfi un-distro

Apko is an open source project developed by Chainguard for producing minimal, low-CVE, distroless container images using the Wolfi un-distro. Apko is used to assemble distroless base images and Wolfi's extensive library of APK packages (or packages you create) into an OCI-compliant container image that is reproducible, and has a complete software bill of materials (SBOM).

Introducing rules_apko

rules_apko is a new Bazel plugin available in the Bazel Central Registry for building OCI images using Wolfi-base images and APKs within existing Bazel workflows. 

Previously under Bazel, users had to build base images outside of Bazel and manually update them in the Bazel configuration, or use the non-performant and now deprecated `container_run_and_*` APIs in rules_docker.

rules_apko generates a fully locked and verifiable description of all transitive dependencies. Bazel then downloads individual APK packages needed for the requested build targets, and creates an OCI-format base image containing the installed packages. This base image can then be further extended by rules_oci to include binaries built from sources in the repository.

Benefits of using apko and Wolfi-base images with Bazel include:

  • Supply chain security assurances in Bazel that the APK packages fetched have the same integrity hashes as the lock file.
  • Bazel can build any application code in any language and add to the image.
  • Bazel coordinates test runners where container images are required as inputs.
  • Bazel can enable fully-offline (“air gapped”) builds with rules_apko.
  • Assurances that the resulting image is fully reproducible and has a complete SBOM.

Getting Started with rules_apko

rules_apko is available today and it's easy to get started building secure, minimal container images in Bazel:

  • Run the apko resolve command to produce the apko.lock.json file

    . Note: the resolve command is available in the newest release of apko.
  • Follow the install instructions to add rules_apko to your Bazel project.

  • Call the translate_apko_lock Bazel API to import the apko.lock.json file so that Bazel can download and verify the integrity of remote assets.

  • Add apko_image targets to your BUILD files to create base images.

Take a look at the https://github.com/chainguard-dev/rules_apko/tree/main/examples for more ideas of how to use rules_apko to create secure, reproducible container images for your enterprise applications.

Resources

To learn more about using rules_apko for distroless container images, check out the following additional resources: 

You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features and capabilities, please reach out to our team for more information. 

Chainguard would like to extend our special thanks to the team at Aspect.dev for their assistance in developing rules_apko!

Related articles
Product
Announcing early access to Chainguard’s CUDA Optimized Images
April 25, 2024
Product
New Chainguard Images in March 2024: Your safe source for open source
April 4, 2024
Product
Chainguard patches 3 “silent” Golang CVEs in under 24 hours
March 21, 2024

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.

Get started
Products

Chainguard Images

Solutions

Container Image Security

Vulnerability Remediation

Open Source Software Security

Compliance & Risk Mitigation

Software Supply Chain Security

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Chainguard love

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact
Contact