Skip to content

feat: add --source-policy-file flag to nerdctl build #4712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tinovyatkin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add --source-policy-file flag to nerdctl build #4712

tinovyatkin wants to merge 1 commit into from
+72 −0

Conversation

@tinovyatkin
Copy link

@tinovyatkin tinovyatkin commented Jan 21, 2026
edited
Loading

Summary

  • Add --source-policy-file flag to nerdctl build that passes through to buildctl build --source-policy-file
  • Support EXPERIMENTAL_BUILDKIT_SOURCE_POLICY environment variable for Docker Buildx compatibility
  • Flag takes precedence over env var when both are set

This enables BuildKit source policies for reproducible and policy-driven builds (pin base images to digests, deny/allow sources, enforce HTTP checksums) without modifying Dockerfiles.

Implementation Details

This is a minimal passthrough to BuildKit - nerdctl does not validate the policy file; BuildKit handles all validation and error messages.

Files changed:

  • pkg/api/types/builder_types.go: Added SourcePolicyFile field to BuilderBuildOptions
  • cmd/nerdctl/builder/builder_build.go: Added --source-policy-file flag and wiring
  • pkg/cmd/builder/build.go: Pass through to buildctl with env var fallback
  • pkg/cmd/builder/build_test.go: Unit tests for precedence logic
  • docs/command-reference.md: Documentation

Usage

# Using the flag
nerdctl build --source-policy-file ./policy.json -t myimg:dev .

# Using the env var (Buildx compatibility)
export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=./policy.json
nerdctl build -t myimg:dev .

Test plan

  • Unit tests for source policy file precedence logic pass
  • Build compiles successfully
  • Manual testing with actual BuildKit source policy

References

@tinovyatkin tinovyatkin force-pushed the feature/source-policy-file branch 2 times, most recently from cb73880 to 7d20f9e Compare January 21, 2026 11:30
@tinovyatkin @claude
feat: add --source-policy-file flag to nerdctl build
b98ae8b 
Add support for BuildKit source policies via `nerdctl build --source-policy-file`.
This enables reproducible and policy-driven builds (pin base images to digests,
deny/allow sources, enforce HTTP checksums) without modifying Dockerfiles.

The implementation:
- Adds --source-policy-file flag that passes through to buildctl
- Supports EXPERIMENTAL_BUILDKIT_SOURCE_POLICY env var for Docker Buildx compatibility
- Flag takes precedence over env var when both are set

This is a minimal passthrough to BuildKit - nerdctl does not validate the policy
file; BuildKit handles all validation and error messages.

See: https://github.com/moby/buildkit/blob/master/docs/build-repro.md

Signed-off-by: Konstantin Vyatkin <tino@vtkn.io>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tinovyatkin tinovyatkin force-pushed the feature/source-policy-file branch from 7d20f9e to b98ae8b Compare January 21, 2026 13:07
@tinovyatkin tinovyatkin marked this pull request as ready for review January 21, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tinovyatkin