--platform on FROM does not match what the registry provides.
| Property | Value |
|---|---|
| Severity | Error |
| Category | Correctness |
| Default | Enabled |
| Requires | --slow-checks=on (registry queries) |
Description
When aFROM instruction uses an explicit --platform flag, this rule queries the
container registry to verify that the requested platform is actually available for the
specified image. This catches provable mismatches before they fail at build time.
Unlike buildkit/InvalidBaseImagePlatform, this rule:
- Only fires when
--platformis explicitly set on theFROMinstruction - Never compares against the host platform, so results are deterministic across machines
- Skips automatic build args (
$BUILDPLATFORM,$TARGETPLATFORM, etc.) which are dynamic
When it fires
| Scenario | Result |
|---|---|
FROM --platform=linux/arm64 image:tag and registry has linux/arm64 | No violation |
FROM --platform=linux/arm64 image:tag and registry does NOT have linux/arm64 | Violation |
FROM image:tag (no --platform) | No violation |
FROM --platform=$BUILDPLATFORM image:tag | No violation (dynamic) |
FROM --platform=$TARGETPLATFORM image:tag | No violation (dynamic) |
Examples
Bad
Good
Relationship to other rules
buildkit/InvalidBaseImagePlatform(default: Off) — the BuildKit rule compares against the host platform even without--platform, producing non-deterministic results. This rule supersedes it with a stricter, deterministic approach.buildkit/FromPlatformFlagConstDisallowed(default: Off) — the BuildKit rule warns on any constant--platformvalue. This is too strict: hardcoded--platformis legitimate for ARM-only services, Windows containers, and cross-compilation. The new rule validates the platform against the registry instead of discouraging it.