Build Wolfi images with Bazel: Introducing rules_apko
Co-author: Adam Dawson, Principal Product Manager at Chainguard
Cross-posted with Chainguard: https://www.chainguard.dev/unchained/announcing-bazel-rules-for-extending-chainguard-images
Yesterday during BazelCon 2023, in partnership with Chainguard, I announced the general availability of rules_apko, an open source plugin for Bazel, which makes it possible to build secure, minimal Wolfi-based container images using the popular Bazel build system. This plugin allows Bazel users to build OCI container images with the open source community un-distro, Wolfi, using their existing pipelines and workflows in Bazel.
Apko is for more secure, distroless container images based on the Wolfi un-distro
Apko is an open-source project developed by Chainguard for producing minimal, low-CVE, distroless container images using the Wolfi un-distro. Apko is used to assemble distroless base images and Wolfi's extensive library of APK packages (or packages you create) into an OCI-compliant container image that is fully reproducible and has a complete software bill of materials (SBOM).
Bazel is for fast, reproducible builds
Bazel is the open-sourced version of Google’s internal build tool, commonly used in multi-language monorepos to get faster and more reproducible builds. Bazel relies on plugins, called “rulesets,” to understand how to build images. Since Bazel can understand most languages, it’s a single tool that can produce images containing any application code. It also provides hermeticity and determinism guarantees, allowing a secure software supply chain to propagate from the package manager all the way to your production images.
rules_apko is a new Bazel ruleset for building OCI images using Wolfi-base images and APKs within existing Bazel workflows.
Previously under Bazel, users had to build base images outside of Bazel and manually update them in the Bazel configuration, or use the non-performant and now deprecated
container_run_and_* APIs in rules_docker.
rules_apko generates a fully locked and verifiable description of all transitive dependencies. Bazel then downloads individual APK packages needed for the requested build targets, and creates an OCI-format base image containing the installed packages. This base image can then be further extended by rules_oci to append artifacts built from sources in the repository.
Benefits of using apko and Wolfi-base images with Bazel include:
Supply chain security assurances in Bazel that the APK packages fetched have the same integrity hashes as the lock file.
Bazel can build any application code in any language and add to the image.
Bazel coordinates test runners where container images are required as inputs.
Bazel can enable fully-offline (“air gapped”) builds with rules_apko.
Assurances that the resulting image is fully reproducible and has a complete SBOM.
Getting Started with rules_apko
rules_apko is available today and it's easy to get started building secure, minimal container images in Bazel:
apko resolvecommand to produce the
apko.resolved.jsonfile. Note: the resolve command is undocumented and is available in the newest release of apko.
Follow the install instructions to add rules_apko to your Bazel project.
translate_apko_lockBazel API to import the
apko.lock.jsonfile so that Bazel can download and verify the integrity of remote assets.
apko_imagetargets to your BUILD files to create base images.
Take a look at the https://github.com/chainguard-dev/rules_apko/tree/main/examples for more ideas of how to use rules_apko to create secure, reproducible container images for your enterprise applications.
To learn more about using rules_apko for distroless container images, check out the following additional resources:
rules_apko project on GitHub
Bazel rules for apko documentation on Chainguard Academy
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the
:latest-dev versions only. If you're interested in learning more or have additional questions regarding our Chainguard Images Enterprise features and capabilities, please reach out to our team for more information.
Aspect would like to extend our special thanks to the team at Chainguard for sponsoring the work of developing rules_apko!