Docker has released version 0.11 of BuildKit, Docker’s backend for building images. The release adds a number of new features, including attestation creation, reproducible build improvements, and cloud cache backend support.
1. SLSA proof
BuildKit can now create SLSA Provenance attestations to trace a build back to source and make it easier to understand how a build was created. Images built with the new versions of Buildx and BuildKit include metadata such as links to source code, build timestamps, and materials used during the build. To attach the new provenance, BuildKit now creates OCI-compliant images by default.
2. Software material specification
While certificates of origin help record how an assembly was completed, software bills of materials (SBOMs) record what components were used. This is similar to tools like docker sbom, but instead of being required to perform your own scans, the image author can embed the results into the image.
Getting reproducible builds from Dockerfiles has been quite difficult in the past – a full reproducible build requires bit-for-bit precision that produces exactly the same result every time. Even fully deterministic builds will produce different timestamps between runs.
4. Locations of OCI images as named contexts
BuildKit has been able to export OCI image layouts for some time now. Since version 0.11 BuildKit can again import these results using named contexts. This makes it easier to build contexts entirely locally – without the need to send intermediate results to a registry.
5. Cloud cache backends
To achieve good build performance when building in ephemeral environments, such as CI pipelines, you need to store the cache in a remote backend. The latest BuildKit release supports two new storage backends: Amazon S3 and Azure Blob Storage.
When building images, you can provide data to an S3 bucket or Azure Blob storage to automatically store the build cache to be pulled into future builds. This build cache means that even though CI or local runners can be destroyed and re-created, you can still access your remote cache to get quick builds when nothing has changed.
6. OCI image annotations
OCI image annotations allow attaching metadata to container images at the manifest level. They are an alternative to labels, which are more generic, and can be more easily attached to cross-platform images.
7. Build inspection with –print
If you start working in a codebase with Dockerfiles, understanding how to use them can be tricky. Buildx supports the new –print flag for printing details about an assembly. This flag can be used to quickly and easily get information about the arguments and secrets needed for a build, as well as the build targets.
8. Firing functions
The Bake file format for orchestrating builds has been improved.
More release details can be found on the Docker blog and in the changelog. Questions and issues can be asked in the #buildkit channel on the Docker community Slack.