Build Secure analyzer images using Docker BuildKit

Proposal

Secure analyzers build Docker images using Docker BuildKit so that build times are shorter and images are smaller.

More details

As of version 18.09 Docker released an overhaul of the internal build architecture. This was called BuildKit, which can be enabled using the environment variable DOCKER_BUILDKIT=1 when running docker build ....

Docker BuildKit comes with benefits that could be useful to Secure:

• A --secret command-line option to pass secret information for building new images
• Reduced size of resulting image
• Reduced time to build an image

Docker BuildKit is recommended for images where the Dockerfile contains multistage builds. Any Secure analyzer that uses common likely has a multistage build.

Limitations

• Must use Docker 18.09 or higher to build the image.
• This is only supported for building Linux images.

Suggested rollout strategy

• Enable DOCKER_BUILDKIT for one analyzer.
  • Analyze the time taken to build the image, both locally and on CI.
  • Release the analyzer once confident that it works as intended.
• Wait for a period of time to pass (suggestion: 3 months) to allow for users to report issues.
• Gradually roll out other analyzers.

Links / references

• Build images with BuildKit
• Advanced Dockerfiles: Faster Builds and Smaller Images Using BuildKit and Multistage Builds
• BuildKit Features You Might Want to Know About