Build Secure analyzer images using Docker BuildKit
Proposal
Secure analyzers build Docker images using Docker BuildKit so that build times are shorter and images are smaller.
More details
As of version 18.09
Docker released an overhaul of the internal build architecture. This was called BuildKit, which can be enabled using the environment variable DOCKER_BUILDKIT=1
when running docker build ...
.
Docker BuildKit comes with benefits that could be useful to Secure:
- A
--secret
command-line option to pass secret information for building new images - Reduced size of resulting image
- Reduced time to build an image
Docker BuildKit is recommended for images where the Dockerfile contains multistage builds. Any Secure analyzer that uses common likely has a multistage build.
Limitations
- Must use Docker
18.09
or higher to build the image. - This is only supported for building Linux images.
Suggested rollout strategy
-
Enable DOCKER_BUILDKIT
for one analyzer.- Analyze the time taken to build the image, both locally and on CI.
- Release the analyzer once confident that it works as intended.
-
Wait for a period of time to pass (suggestion: 3 months) to allow for users to report issues. -
Gradually roll out other analyzers.
Links / references
Edited by Cameron Swords