{"id":13451546,"url":"https://github.com/docker/buildx","last_synced_at":"2026-04-02T13:47:49.104Z","repository":{"id":37318596,"uuid":"177210627","full_name":"docker/buildx","owner":"docker","description":"Docker CLI plugin for extended build capabilities with BuildKit","archived":false,"fork":false,"pushed_at":"2025-09-03T07:50:10.000Z","size":48629,"stargazers_count":4061,"open_issues_count":451,"forks_count":572,"subscribers_count":65,"default_branch":"master","last_synced_at":"2025-09-03T09:28:22.416Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-03-22T21:20:07.000Z","updated_at":"2025-09-03T07:50:15.000Z","dependencies_parsed_at":"2023-10-02T08:30:57.165Z","dependency_job_id":"365e0304-a109-468b-9985-eb5091bd6fd4","html_url":"https://github.com/docker/buildx","commit_stats":{"total_commits":1626,"total_committers":109,"mean_commits":"14.917431192660551","dds":0.6814268142681427,"last_synced_commit":"1de332530f6c21e69ddf8577fbc7adcf0ae7c723"},"previous_names":[],"tags_count":107,"template":false,"template_full_name":null,"purl":"pkg:github/docker/buildx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fbuildx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fbuildx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fbuildx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fbuildx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker","download_url":"https://codeload.github.com/docker/buildx/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker%2Fbuildx/sbom","scorecard":{"id":349196,"data":{"date":"2025-08-11","repo":{"name":"github.com/docker/buildx","commit":"10605b8c350fe40bb086dcca502cce4ab6370dc4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.2,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:324","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build.yml:508","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:478","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:26","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:27","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/docs-release.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/pr-assign-author.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs-release.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs-upstream.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-assign-author.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/validate.yml:10"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'master'","Warn: 'stale review dismissal' is disabled on branch 'master'","Warn: required approving review count is 1 on branch 'master'","Info: codeowner review is required on branch 'master'","Warn: 'last push approval' is disabled on branch 'master'","Info: status check found to merge onto on branch 'master'","Info: PRs are required in order to make changes on branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.26.1 not signed: https://api.github.com/repos/docker/buildx/releases/234295988","Warn: release artifact v0.26.0 not signed: https://api.github.com/repos/docker/buildx/releases/233957332","Warn: release artifact v0.26.0-rc1 not signed: https://api.github.com/repos/docker/buildx/releases/232616921","Warn: release artifact v0.25.0 not signed: https://api.github.com/repos/docker/buildx/releases/225958969","Warn: release artifact v0.26.1 does not have provenance: https://api.github.com/repos/docker/buildx/releases/234295988","Warn: release artifact v0.26.0 does not have provenance: https://api.github.com/repos/docker/buildx/releases/233957332","Warn: release artifact v0.26.0-rc1 does not have provenance: https://api.github.com/repos/docker/buildx/releases/232616921","Warn: release artifact v0.25.0 does not have provenance: https://api.github.com/repos/docker/buildx/releases/225958969"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3829"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:194: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:197: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:232: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:277: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:280: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:311: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:486: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:500: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:330: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:337: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:345: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:356: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:383: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:386: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:389: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:404: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:428: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:431: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:434: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:442: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:454: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:460: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:516: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:519: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-release.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-release.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-upstream.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-upstream.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-upstream.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-upstream.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-upstream.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-upstream.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-upstream.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/docs-upstream.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:230: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:233: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:244: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/e2e.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/labeler.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/validate.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/validate.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/validate.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/docker/buildx/validate.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:18","Warn: containerImage not pinned by hash: Dockerfile:19","Warn: containerImage not pinned by hash: Dockerfile:20","Warn: containerImage not pinned by hash: Dockerfile:21","Warn: containerImage not pinned by hash: Dockerfile:22","Warn: containerImage not pinned by hash: Dockerfile:23","Warn: containerImage not pinned by hash: Dockerfile:24","Warn: containerImage not pinned by hash: Dockerfile:25","Warn: containerImage not pinned by hash: Dockerfile:26","Warn: containerImage not pinned by hash: Dockerfile:27","Warn: containerImage not pinned by hash: Dockerfile:28","Warn: containerImage not pinned by hash: Dockerfile:29","Warn: containerImage not pinned by hash: Dockerfile:31","Warn: containerImage not pinned by hash: Dockerfile:38","Warn: containerImage not pinned by hash: Dockerfile:71","Warn: containerImage not pinned by hash: Dockerfile:79","Warn: containerImage not pinned by hash: Dockerfile:93","Warn: containerImage not pinned by hash: Dockerfile:116","Warn: containerImage not pinned by hash: Dockerfile:120","Warn: containerImage not pinned by hash: Dockerfile:148","Warn: containerImage not pinned by hash: Dockerfile:152","Warn: containerImage not pinned by hash: Dockerfile:166","Warn: containerImage not pinned by hash: Dockerfile:167","Warn: containerImage not pinned by hash: Dockerfile:179","Warn: containerImage not pinned by hash: hack/demo-env/examples/compose/Dockerfile:1: pin your Docker image by updating alpine:3.8 to alpine:3.8@sha256:2bb501e6173d9d006e56de5bce2720eb06396803300fe1687b58a7ff32bf4c14","Warn: containerImage not pinned by hash: hack/demo-env/examples/compose/Dockerfile.webapp:1: pin your Docker image by updating alpine:3.8 to alpine:3.8@sha256:2bb501e6173d9d006e56de5bce2720eb06396803300fe1687b58a7ff32bf4c14","Warn: containerImage not pinned by hash: hack/demo-env/examples/simple1/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: containerImage not pinned by hash: hack/dockerfiles/authors.Dockerfile:5","Warn: containerImage not pinned by hash: hack/dockerfiles/authors.Dockerfile:24","Warn: containerImage not pinned by hash: hack/dockerfiles/docs.Dockerfile:8","Warn: containerImage not pinned by hash: hack/dockerfiles/docs.Dockerfile:14","Warn: containerImage not pinned by hash: hack/dockerfiles/docs.Dockerfile:33","Warn: containerImage not pinned by hash: hack/dockerfiles/govulncheck.Dockerfile:9","Warn: containerImage not pinned by hash: hack/dockerfiles/govulncheck.Dockerfile:17","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:13","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:15","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:18","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:28","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:30","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:40","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:46","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:50","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:78","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:94","Warn: containerImage not pinned by hash: hack/dockerfiles/lint.Dockerfile:115","Warn: containerImage not pinned by hash: hack/dockerfiles/vendor.Dockerfile:8","Warn: containerImage not pinned by hash: hack/dockerfiles/vendor.Dockerfile:12","Warn: containerImage not pinned by hash: hack/dockerfiles/vendor.Dockerfile:27","Warn: containerImage not pinned by hash: hack/dockerfiles/vendor.Dockerfile:42","Warn: containerImage not pinned by hash: hack/dockerfiles/vendor.Dockerfile:43","Warn: goCommand not pinned by hash: Dockerfile:44-50","Warn: downloadThenRun not pinned by hash: hack/dockerfiles/lint.Dockerfile:35","Warn: goCommand not pinned by hash: vendor/github.com/agext/levenshtein/test.sh:5","Warn: goCommand not pinned by hash: vendor/github.com/json-iterator/go/build.sh:10","Warn: goCommand not pinned by hash: vendor/github.com/pelletier/go-toml/benchmark.sh:10","Info:   0 out of  30 GitHub-owned GitHubAction dependencies pinned","Info:   8 out of  38 third-party GitHubAction dependencies pinned","Info:   0 out of   4 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   5 out of  55 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 23 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T07:53:20.595Z","repository_id":37318596,"created_at":"2025-08-18T07:53:20.595Z","updated_at":"2025-08-18T07:53:20.595Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274358448,"owners_count":25270679,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-09T02:00:10.223Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T07:00:55.632Z","updated_at":"2026-04-02T13:47:49.066Z","avatar_url":"https://github.com/docker.png","language":"Go","readme":"# Buildx\n\n[![GitHub release](https://img.shields.io/github/release/docker/buildx.svg?style=flat-square)](https://github.com/docker/buildx/releases/latest)\n[![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?style=flat-square\u0026logo=go\u0026logoColor=white)](https://pkg.go.dev/github.com/docker/buildx)\n[![Build Status](https://img.shields.io/github/actions/workflow/status/docker/buildx/build.yml?branch=master\u0026label=build\u0026logo=github\u0026style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)\n[![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx?style=flat-square)](https://goreportcard.com/report/github.com/docker/buildx)\n[![codecov](https://img.shields.io/codecov/c/github/docker/buildx?logo=codecov\u0026style=flat-square)](https://codecov.io/gh/docker/buildx)\n\nBuildx is a Docker CLI plugin for extended build capabilities with\n[BuildKit](https://github.com/moby/buildkit).\n\n\u003e [!TIP]\n\u003e **Key features**\n\u003e - Familiar UI from `docker build`\n\u003e - Full BuildKit capabilities with container driver\n\u003e - Multiple builder instance support\n\u003e - Multi-node builds for cross-platform images\n\u003e - Compose build support\n\u003e - High-level builds with [Bake](https://docs.docker.com/build/bake/)\n\u003e - In-container driver support (both Docker and Kubernetes)\n\n___\n\n- [Installing](#installing)\n  - [Windows and macOS](#windows-and-macos)\n  - [Linux packages](#linux-packages)\n  - [Manual download](#manual-download)\n  - [Dockerfile](#dockerfile)\n- [Building](#building)\n- [Getting started](#getting-started)\n  - [Building with Buildx](#building-with-buildx)\n  - [Working with builder instances](#working-with-builder-instances)\n  - [Building multi-platform images](#building-multi-platform-images)\n- [Reference](docs/reference/buildx.md)\n- [Contributing](#contributing)\n\n## Installing\n\nUsing Buildx with Docker requires Docker engine 19.03 or newer.\n\n\u003e [!WARNING]\n\u003e Using an incompatible version of Docker may result in unexpected behavior,\n\u003e and will likely cause issues, especially when using Buildx builders with more\n\u003e recent versions of BuildKit.\n\n### Windows and macOS\n\nDocker Buildx is included in [Docker Desktop](https://docs.docker.com/desktop/)\nfor Windows and macOS.\n\n### Linux packages\n\nDocker Engine package repositories contain Docker Buildx packages when installed according to the\n[Docker Engine install documentation](https://docs.docker.com/engine/install/). Install the\n`docker-buildx-plugin` package to install the Buildx plugin.\n\n### Manual download\n\n\u003e [!IMPORTANT]\n\u003e This section is for unattended installation of the Buildx component. These\n\u003e instructions are mostly suitable for testing purposes. We do not recommend\n\u003e installing Buildx using manual download in production environments as they\n\u003e will not be updated automatically with security updates.\n\u003e\n\u003e On Windows and macOS, we recommend that you install [Docker Desktop](https://docs.docker.com/desktop/)\n\u003e instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages).\n\nYou can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).\n\nRename the relevant binary and copy it to the destination matching your OS:\n\n| OS      | Binary name         | Destination folder                  |\n|---------|---------------------|-------------------------------------|\n| Linux   | `docker-buildx`     | `$HOME/.docker/cli-plugins`         |\n| macOS   | `docker-buildx`     | `$HOME/.docker/cli-plugins`         |\n| Windows | `docker-buildx.exe` | `%USERPROFILE%\\.docker\\cli-plugins` |\n\nOr copy it into one of these folders for installing it system-wide.\n\nOn Unix environments:\n\n* `/usr/local/lib/docker/cli-plugins` OR `/usr/local/libexec/docker/cli-plugins`\n* `/usr/lib/docker/cli-plugins` OR `/usr/libexec/docker/cli-plugins`\n\nOn Windows:\n\n* `C:\\ProgramData\\Docker\\cli-plugins`\n* `C:\\Program Files\\Docker\\cli-plugins`\n\n\u003e [!NOTE]\n\u003e On Unix environments, it may also be necessary to make it executable with `chmod +x`:\n\u003e ```shell\n\u003e $ chmod +x ~/.docker/cli-plugins/docker-buildx\n\u003e ```\n\n### Dockerfile\n\nHere is how to install and use Buildx inside a Dockerfile through the\n[`docker/buildx-bin`](https://hub.docker.com/r/docker/buildx-bin) image:\n\n```dockerfile\n# syntax=docker/dockerfile:1\nFROM docker\nCOPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx\nRUN docker buildx version\n```\n\n## Building\n\n```console\n# Buildx 0.6+\n$ docker buildx bake \"https://github.com/docker/buildx.git\"\n$ mkdir -p ~/.docker/cli-plugins\n$ mv ./bin/build/buildx ~/.docker/cli-plugins/docker-buildx\n\n# Docker 19.03+\n$ DOCKER_BUILDKIT=1 docker build --platform=local -o . \"https://github.com/docker/buildx.git\"\n$ mkdir -p ~/.docker/cli-plugins\n$ mv buildx ~/.docker/cli-plugins/docker-buildx\n\n# Local\n$ git clone https://github.com/docker/buildx.git \u0026\u0026 cd buildx\n$ make install\n```\n\n## Getting started\n\n### Building with Buildx\n\nBuildx is a Docker CLI plugin that extends the `docker build` command with the\nfull support of the features provided by [Moby BuildKit](https://docs.docker.com/build/buildkit/)\nbuilder toolkit. It provides the same user experience as `docker build` with\nmany new features like creating scoped builder instances and building against\nmultiple nodes concurrently.\n\nAfter installation, Buildx can be accessed through the `docker buildx` command\nwith Docker 19.03. `docker buildx build` is the command for starting a new\nbuild. With Docker versions older than 19.03 Buildx binary can be called\ndirectly to access the `docker buildx` subcommands.\n\n```console\n$ docker buildx build .\n[+] Building 8.4s (23/32)\n =\u003e ...\n```\n\nBuildx will always build using the BuildKit engine and does not require\n`DOCKER_BUILDKIT=1` environment variable for starting builds.\n\nThe `docker buildx build` command supports features available for `docker build`,\nincluding features such as outputs configuration, inline build caching, and\nspecifying target platform. In addition, Buildx also supports new features that\nare not yet available for regular `docker build` like building manifest lists,\ndistributed caching, and exporting build results to OCI image tarballs.\n\nBuildx is flexible and can be run in different configurations that are exposed\nthrough various [drivers](https://docs.docker.com/build/builders/drivers/).\nEach driver defines how and where a build should run, and have different\nfeature sets.\n\nWe currently support the following drivers:\n- The `docker` driver ([manual](https://docs.docker.com/build/builders/drivers/docker/))\n- The `docker-container` driver ([manual](https://docs.docker.com/build/builders/drivers/docker-container/))\n- The `kubernetes` driver ([manual](https://docs.docker.com/build/drivers/kubernetes/))\n- The `remote` driver ([manual](https://docs.docker.com/build/builders/drivers/remote/))\n\nFor more information, see the [builders](https://docs.docker.com/build/builders/)\nand [drivers](https://docs.docker.com/build/builders/drivers/) guide.\n\n\u003e [!NOTE]\n\u003e For more information, see [Docker Build docs](https://docs.docker.com/build/concepts/overview/).\n\n### Working with builder instances\n\nBy default, Buildx will initially use the `docker` driver if it is supported,\nproviding a very similar user experience to the native `docker build`. Note that\nyou must use a local shared daemon to build your applications.\n\nBuildx allows you to create new instances of isolated builders. This can be\nused for getting a scoped environment for your CI builds that does not change\nthe state of the shared daemon or for isolating the builds for different\nprojects. You can create a new instance for a set of remote nodes, forming a\nbuild farm, and quickly switch between them.\n\nYou can create new instances using the [`docker buildx create`](docs/reference/buildx_create.md)\ncommand. This creates a new builder instance with a single node based on your\ncurrent configuration.\n\nTo use a remote node you can specify the `DOCKER_HOST` or the remote context name\nwhile creating the new builder. After creating a new instance, you can manage its\nlifecycle using the [`docker buildx inspect`](docs/reference/buildx_inspect.md),\n[`docker buildx stop`](docs/reference/buildx_stop.md), and\n[`docker buildx rm`](docs/reference/buildx_rm.md) commands. To list all\navailable builders, use [`docker buildx ls`](docs/reference/buildx_ls.md). After\ncreating a new builder you can also append new nodes to it.\n\nTo switch between different builders, use [`docker buildx use \u003cname\u003e`](docs/reference/buildx_use.md).\nAfter running this command, the build commands will automatically use this\nbuilder.\n\nDocker also features a [`docker context`](https://docs.docker.com/engine/reference/commandline/context/)\ncommand that can be used for giving names for remote Docker API endpoints.\nBuildx integrates with `docker context` so that all of your contexts\nautomatically get a default builder instance. While creating a new builder\ninstance or when adding a node to it, you can also set the context name as the\ntarget.\n\n\u003e [!NOTE]\n\u003e For more information, see [Builders docs](https://docs.docker.com/build/builders/).\n\n### Building multi-platform images\n\nBuildKit is designed to work well for building for multiple platforms and not\nonly for the architecture and operating system that the user invoking the build\nhappens to run.\n\nWhen you invoke a build, you can set the `--platform` flag to specify the target\nplatform for the build output, (for example, `linux/amd64`, `linux/arm64`, or\n`darwin/amd64`).\n\nWhen the current builder instance is backed by the `docker-container` or\n`kubernetes` driver, you can specify multiple platforms together. In this case,\nit builds a manifest list which contains images for all specified architectures.\nWhen you use this image in [`docker run`](https://docs.docker.com/reference/cli/docker/container/run/)\nor [`docker service`](https://docs.docker.com/reference/cli/docker/service/),\nDocker picks the correct image based on the node's platform.\n\nYou can build multi-platform images using three different strategies that are\nsupported by Buildx and Dockerfiles:\n\n1. Using the QEMU emulation support in the kernel\n2. Building on multiple native nodes using the same builder instance\n3. Using a stage in Dockerfile to cross-compile to different architectures\n\nQEMU is the easiest way to get started if your node already supports it (for\nexample. if you are using Docker Desktop). It requires no changes to your\nDockerfile and BuildKit automatically detects the secondary architectures that\nare available. When BuildKit needs to run a binary for a different architecture,\nit automatically loads it through a binary registered in the `binfmt_misc`\nhandler.\n\nFor QEMU binaries registered with `binfmt_misc` on the host OS to work\ntransparently inside containers they must be registered with the `fix_binary`\nflag. This requires a kernel \u003e= 4.8 and binfmt-support \u003e= 2.1.7. You can check\nfor proper registration by checking if `F` is among the flags in\n`/proc/sys/fs/binfmt_misc/qemu-*`. While Docker Desktop comes preconfigured\nwith `binfmt_misc` support for additional platforms, for other installations\nit likely needs to be installed using [`tonistiigi/binfmt`](https://github.com/tonistiigi/binfmt)\nimage.\n\n```console\n$ docker run --privileged --rm tonistiigi/binfmt --install all\n```\n\nUsing multiple native nodes provide better support for more complicated cases\nthat are not handled by QEMU and generally have better performance. You can\nadd additional nodes to the builder instance using the `--append` flag.\n\nAssuming contexts `node-amd64` and `node-arm64` exist in `docker context ls`;\n\n```console\n$ docker buildx create --use --name mybuild node-amd64\nmybuild\n$ docker buildx create --append --name mybuild node-arm64\n$ docker buildx build --platform linux/amd64,linux/arm64 .\n```\n\nFinally, depending on your project, the language that you use may have good\nsupport for cross-compilation. In that case, multi-stage builds in Dockerfiles\ncan be effectively used to build binaries for the platform specified with\n`--platform` using the native architecture of the build node. A list of build\narguments like `BUILDPLATFORM` and `TARGETPLATFORM` is available automatically\ninside your Dockerfile and can be leveraged by the processes running as part\nof your build.\n\n```dockerfile\n# syntax=docker/dockerfile:1\nFROM --platform=$BUILDPLATFORM golang:alpine AS build\nARG TARGETPLATFORM\nARG BUILDPLATFORM\nRUN echo \"I am running on $BUILDPLATFORM, building for $TARGETPLATFORM\" \u003e /log\nFROM alpine\nCOPY --from=build /log /log\n```\n\nYou can also use [`tonistiigi/xx`](https://github.com/tonistiigi/xx) Dockerfile\ncross-compilation helpers for more advanced use-cases.\n\n\u003e [!NOTE]\n\u003e For more information, see [Multi-platform builds docs](https://docs.docker.com/build/building/multi-platform/).\n\n## Contributing\n\nWant to contribute to Buildx? Awesome! You can find information about\ncontributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)\n","funding_links":[],"categories":["Go","others","Getting started","Build \u0026 Packaging Automation"],"sub_categories":["Prerequisites"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fbuildx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker%2Fbuildx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker%2Fbuildx/lists"}