Docker Buildx extends build capabilities with multi-architecture support, advanced caching, build secrets, and supply chain attestations. Master the vocabulary for QEMU emulation, registry cache, and SLSA provenance in modern CI/CD pipelines.
0 / 5 completed
1 / 5
A developer runs docker buildx build --platform linux/amd64,linux/arm64 .. What does Buildx enable that the standard docker build command cannot?
Docker Buildx is a CLI plugin that extends docker build with BuildKit capabilities, most notably multi-platform image builds. A single buildx build command can produce images for multiple architectures (amd64, arm64, arm/v7, etc.) and push them as a multi-arch manifest to a registry — something standard docker build cannot do natively.
2 / 5
Building a linux/arm64 image on an amd64 host requires QEMU emulation. Which Buildx feature enables this?
To build for a foreign architecture, Buildx uses QEMU user-mode emulation. The tonistiigi/binfmt image registers QEMU binary format handlers with the Linux kernel (binfmt_misc), allowing the kernel to transparently execute ARM64 binaries on an AMD64 host during the build process.
3 / 5
A Dockerfile uses RUN --mount=type=secret,id=npmrc,target=/root/.npmrc. What do Buildx build secrets provide?
Buildx build secrets (--mount=type=secret) provide temporary access to sensitive data (tokens, credentials) during a specific RUN step. The secret is never written to any image layer — it exists only in memory during that step. This prevents credentials from being inadvertently exposed in image history.
4 / 5
A CI pipeline uses --cache-from type=registry,ref=myrepo/myimage:cache in a Buildx command. What does this registry cache accomplish?
Buildx's registry cache mode (type=registry) stores BuildKit layer cache metadata and blobs directly in a container registry. Subsequent builds can import this cache with --cache-from, restoring unchanged layers without rebuilding them — dramatically speeding up CI builds even on fresh runners with no local cache.
5 / 5
A Buildx build is pushed with --sbom=true --provenance=true. What are attestations in this context?
Attestations are in-toto/SLSA metadata documents attached to image manifests in the registry. --sbom=true attaches a Software Bill of Materials (listing all packages in the image); --provenance=true attaches a build provenance record (Git commit, build inputs, Buildx version). Together they enable supply chain security verification.