Waitlist open

eval your Docker images.
Reproducible, audited, signed.

eval.build rebuilds your existing Docker images in a hermetic, content-addressed sandbox — so you get bit-for-bit reproducibility, a complete SBOM, and continuous CVE auditing. Same Dockerfile. No new tooling to learn.

Join the waitlist See how it works

No Dockerfile changes Hermetic sandbox SLSA-grade provenance

Dockerfile

your input

FROM node:20-bookworm-slim
WORKDIR /app

RUN apt-get update \
 && apt-get install -y curl ca-certificates

COPY package*.json ./
RUN npm ci --omit=dev
COPY . .

EXPOSE 3000
CMD ["node", "server.js"]

sha256:3f9a2b…

image.sbom.json

● verified

▾app:web@a3f2linux/amd64repro ✓

├─node20.11.1runtime

├─glibc2.36-9+deb12u4system

├─ca-certificates20230311system

├─openssl3.0.13CVE-2024-0727

├─curl8.5.0system

├─express4.19.2npm

├─pino9.0.0npm

└─…+ 142 moreresolved

= sha256:9f3c2a8e7d1b4f= store /cas/r4qx…-app-web= closure 187 paths · 412 MB= rebuild parity 100.0%= CVE feed: NVD · GHSA · OSV= OCI 1.1 · SLSA 3 · SPDX 2.3= sandbox: hermetic · unprivileged= attestations: in-toto · sigstore= sha256:9f3c2a8e7d1b4f= store /cas/r4qx…-app-web= closure 187 paths · 412 MB= rebuild parity 100.0%= CVE feed: NVD · GHSA · OSV= OCI 1.1 · SLSA 3 · SPDX 2.3= sandbox: hermetic · unprivileged= attestations: in-toto · sigstore

// the pitch

You wrote a Dockerfile. We rebuild it inside a hermetic, content-addressed sandbox, prove the output matches your original bit-for-bit, and ship you an OCI image with a complete bill of materials and live CVE tracking. No new build system to adopt. No changes to your Dockerfile.

// how it works

Four steps. No Dockerfile changes.

From your existing build to a reproducible, audited OCI image — and we tell you when something doesn't match.

Parse

We turn your Dockerfile into a typed intermediate representation. Every instruction, every layer, every implicit assumption.

Translate

We resolve every step of your build to a content-addressed, hermetic graph — pinned versions, pinned sources, no implicit network.

Verify

We build both versions in a sandbox and diff their filesystems. If they don't match, we don't ship.

Audit

SBOM and CVE scan run on every build. New vulnerabilities trigger automatic re-scans against your shipped images.

// what you get

Reproducible. Auditable. Continuously safe.

The three properties Docker doesn't give you, without giving up the Dockerfile you already wrote.

Reproducible

Bit-for-bit identical outputs across machines and time. Same input, same hash, forever.

$ diff <(image.tar) <(rebuild.tar) → 0 bytes

Auditable

Complete SBOM, including system packages and language deps, with exact provenance for every byte.

SPDX 2.3 · CycloneDX 1.5 · in-toto attestations

Continuously safe

Every image is rescanned against new CVE disclosures. You hear about vulns from us before you hear about them from your security team.

webhook · email · slack · syft-compatible

// honest comparison

How we compare.

Chainguard and apko make a different tradeoff than we do. Here's the honest version.

	Your current Docker build	Chainguard-style rewrites	eval.build
Reproducible builds	no	yes	yes
Full SBOM	partial	yes	yes
Keep your Dockerfile	yes	no	yes
Continuous CVE rescans	no	partial	yes
Learning curve	none	steep	none

The middle column is a fine choice; if you can adopt apko or Chainguard's base images, do it; eval.build is for the case where you can't, won't, or already have 40 Dockerfiles you don't want to rewrite.

// faq

Questions we expect.

Does this work with multi-stage builds?

Yes. Each stage becomes its own hermetic build node, and we preserve the dependency graph between them. COPY --from=builder works exactly like you expect — artifacts flow from the upstream node's pinned output, not from a rebuild.

What if my Dockerfile does something weird in a RUN line?

Most weirdness is handled — sed-ing config files, conditional apt installs, downloading static binaries. For the rest we flag the translation as low-confidence and surface a side-by-side review before the image ships. You can approve, edit, or fall back to running the original layer verbatim inside the sandbox.

How is this different from Chainguard or apko?

Same goals, different tradeoff. Chainguard and apko are excellent if you're willing to rewrite your packaging into their YAML and adopt their base images. eval.build keeps your Dockerfile as the source of truth — you don't migrate, you don't learn a new format, and you can leave anytime by simply continuing to use the Dockerfile you already have.

Can I self-host?

Eventually. The plan is to run hosted first, then offer self-hosted for teams that need it for compliance reasons. If that's you, ping us when you join the waitlist.

What does it cost?

TBD. We're not charging yet, and we won't until the product is ready to be paid for. Pricing will likely be per-build or per-image with a generous free tier for solo developers and OSS projects. Join the waitlist and we'll loop you in before billing turns on.

eval your Docker images. Reproducible, audited, signed.