Connect with us

Hi, what are you looking for?


Cloud Security

Google Releases Open Source Bazel Plugin for Container Image Security

Google announces the general availability of ‘rules_oci’ Bazel plugin to improve the security of container images.

Google last week announced the general availability of ‘rules_oci’, an open source Bazel plugin for building container images.

Bazel improves supply chain trust by using dependencies’ integrity hashes. Google uses this build and test tool for creating Distroless base images for Docker.

Distroless images too are meant to improve supply chain security, as they are minimal base images that include only what is necessary for applications to run.

“Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications,” Google explains.

According to the internet giant, rules_oci, the new ruleset that replaces rules_docker, which was previously used for building container images, provides numerous improvements, including features related to security.

The new plugin can use trusted third-party toolchains, does not require running a docker daemon already on the machine, and does not include language-specific rules.

It also allows for the transparent use of private registries, and provides users with a software bill of materials (SBOM), so they can verify the source of dependencies.

Advertisement. Scroll to continue reading.

The plugin also supports native signing of images, native support for oci indexes (multi-platform images), improved caching and fetching, and a signed attestation for Distroless images, which includes SBOMs.

“In the end, rules_oci allowed us to modernize the Distroless build while also adding necessary supply chain security metadata to allow organizations to make better decisions about the images they consume,” Google notes.

On Friday, the internet giant announced that version 1.0 of rules_oci is now generally available, accompanied by a guide to help organizations migrate from rules_docker to the new ruleset.

Related: Google Launches New Cybersecurity Analyst Training Program

Related: ATT&CK v9 Introduces Containers, Google Workspace

Related: Google Blocked 1.4 Million Bad Apps From Google Play in 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility