container-source-policy-darwin-x64 0.3.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +40 -10
  2. package/bin/container-source-policy +0 -0
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -1,8 +1,12 @@
1
1
  # container-source-policy
2
2
 
3
- Generate a Docker BuildKit **source policy** file by parsing Dockerfiles and pinning `FROM` images to immutable digests.
3
+ [![codecov](https://codecov.io/gh/tinovyatkin/container-source-policy/graph/badge.svg?token=tSSxWyOmP2)](https://codecov.io/gh/tinovyatkin/container-source-policy)
4
4
 
5
- This helps make `docker buildx build` inputs reproducible without rewriting your Dockerfile.
5
+ Generate BuildKit **source policies** that make Docker builds reproducible and secure — without modifying your Dockerfiles.
6
+
7
+ - 📌 **Pin** images and URLs to immutable checksums
8
+ - 🛡️ **Harden** builds with [Docker Hardened Images](https://dhi.io) (fewer CVEs, smaller footprint)
9
+ - ✅ **Validate** existing policies against Dockerfiles *(coming soon)*
6
10
 
7
11
  See the [BuildKit documentation on build reproducibility](https://github.com/moby/buildkit/blob/master/docs/build-repro.md) for more details on source policies.
8
12
 
@@ -67,22 +71,45 @@ Write directly to a file:
67
71
  container-source-policy pin --output source-policy.json Dockerfile
68
72
  ```
69
73
 
70
- Then pass the policy to BuildKit / Buildx via the environment variable:
74
+ ### Docker Hardened Images (DHI)
75
+
76
+ Use `--prefer-dhi` to pin Docker Hub library images to their [Docker Hardened Images](https://www.docker.com/blog/docker-hardened-images-now-free/) equivalents when available:
71
77
 
72
78
  ```bash
73
- EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build .
79
+ # First, login to dhi.io with your Docker Hub credentials
80
+ docker login dhi.io
81
+
82
+ # Then use --prefer-dhi to prefer hardened images
83
+ container-source-policy pin --prefer-dhi --stdout Dockerfile
74
84
  ```
75
85
 
76
- Or use `buildctl` directly with the `--source-policy-file` flag:
86
+ This converts eligible images (e.g., `alpine:3.21`, `node:22`, `golang:1.23`) to their `dhi.io` equivalents, which are minimal, security-hardened
87
+ versions with fewer vulnerabilities.
88
+
89
+ - Only Docker Hub library images (`alpine`, `node`, `golang`, etc.) are eligible
90
+ - Images not available on dhi.io silently fall back to docker.io
91
+ - Non-library images (`ghcr.io/*`, `docker.io/myorg/*`) are unchanged
92
+ - The policy selector still matches the original reference, so your Dockerfile works unchanged
93
+
94
+ Example output with `--prefer-dhi`:
95
+
96
+ ```json
97
+ {
98
+ "selector": { "identifier": "docker-image://golang:1.23" },
99
+ "updates": { "identifier": "docker-image://dhi.io/golang:1.23@sha256:..." }
100
+ }
101
+ ```
102
+
103
+ Then pass the policy to BuildKit / Buildx via the environment variable:
77
104
 
78
105
  ```bash
79
- buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --source-policy-file source-policy.json
106
+ EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build .
80
107
  ```
81
108
 
82
- Shell completion scripts are available via Cobra:
109
+ Or use `buildctl` directly with the `--source-policy-file` flag:
83
110
 
84
111
  ```bash
85
- container-source-policy completion zsh
112
+ buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --source-policy-file source-policy.json
86
113
  ```
87
114
 
88
115
  ## What gets pinned
@@ -108,9 +135,11 @@ container-source-policy completion zsh
108
135
  - Git URLs (handled separately, see below)
109
136
  - Volatile content (emits warning): URLs returning `Cache-Control: no-store`, `no-cache`, `max-age=0`, or expired `Expires` headers
110
137
  - Fetches the checksum and emits `CONVERT` rules with `http.checksum` attribute.
111
- - **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the policy as `http.header.*` attributes to ensure reproducible builds.
138
+ - **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the
139
+ policy as `http.header.*` attributes to ensure reproducible builds.
112
140
 
113
141
  **Optimized checksum fetching** — avoids downloading large files when possible:
142
+
114
143
  - `raw.githubusercontent.com`: extracts SHA256 from ETag header
115
144
  - GitHub releases: uses the API `digest` field (set `GITHUB_TOKEN` for higher rate limits)
116
145
  - S3: uses `x-amz-checksum-sha256` response header (by sending `x-amz-checksum-mode: ENABLED`)
@@ -146,9 +175,10 @@ UPDATE_SNAPS=true go test ./internal/integration/...
146
175
 
147
176
  ## Repository layout
148
177
 
149
- - `cmd/container-source-policy/cmd/`: Cobra CLI commands
178
+ - `cmd/container-source-policy/cmd/`: CLI commands (urfave/cli)
150
179
  - `internal/dockerfile`: Dockerfile parsing (`FROM` and `ADD` extraction)
151
180
  - `internal/registry`: registry client (image digest resolution)
181
+ - `internal/dhi`: Docker Hardened Images reference mapping
152
182
  - `internal/http`: HTTP client (URL checksum fetching with optimizations)
153
183
  - `internal/git`: Git client (commit SHA resolution via git ls-remote)
154
184
  - `internal/policy`: BuildKit source policy types and JSON output
package/bin/container-source-policy CHANGED
Binary file
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "container-source-policy-darwin-x64",
3
- "version": "0.3.1",
3
+ "version": "0.5.0",
4
4
  "description": "The darwin x64 binary for container-source-policy",
5
5
  "repository": {
6
6
  "type": "git",