Add SSH known hosts support for git sources

Copilot · cpuguy83 · commit fcd3fe484e9f · 2025-09-08T16:34:39.000-07:00
Signed-off-by: Brian Goff &lt;cpuguy83@gmail.com&gt;
diff --git a/docs/spec.schema.json b/docs/spec.schema.json
@@ -1680,6 +1680,12 @@
 						"boolean"
 					]
 				},
+				"sshKnownHosts": {
+					"type": [
+						"string",
+						"null"
+					]
+				},
 				"url": {
 					"type": [
 						"string"
diff --git a/source_git.go b/source_git.go
@@ -12,10 +12,11 @@ import (
 )
 
 type SourceGit struct {
-	URL        string  `yaml:"url" json:"url"`
-	Commit     string  `yaml:"commit" json:"commit"`
-	KeepGitDir bool    `yaml:"keepGitDir,omitempty" json:"keepGitDir,omitempty"`
-	Auth       GitAuth `yaml:"auth,omitempty" json:"auth,omitempty"`
+	URL           string  `yaml:"url" json:"url"`
+	Commit        string  `yaml:"commit" json:"commit"`
+	KeepGitDir    bool    `yaml:"keepGitDir,omitempty" json:"keepGitDir,omitempty"`
+	Auth          GitAuth `yaml:"auth,omitempty" json:"auth,omitempty"`
+	SSHKnownHosts string  `yaml:"sshKnownHosts,omitempty" json:"sshKnownHosts,omitempty"`
 }
 
 type GitAuth struct {
@@ -116,6 +117,10 @@ func (src *SourceGit) baseState(opts fetchOptions) llb.State {
 	gOpts = append(gOpts, WithConstraints(opts.Constraints...))
 	gOpts = append(gOpts, &src.Auth)
 
+	if src.SSHKnownHosts != "" {
+		gOpts = append(gOpts, llb.KnownSSHHosts(src.SSHKnownHosts))
+	}
+
 	return llb.Git(src.URL, src.Commit, gOpts...)
 }
 
@@ -156,7 +161,8 @@ func (src *SourceGit) processBuildArgs(lex *shell.Lex, args map[string]string, a
 	if err != nil {
 		errs = append(errs, err)
 	}
-	if len(errs) > 1 {
+
+	if len(errs) > 0 {
 		return fmt.Errorf("failed to process build args for git source: %w", stderrors.Join(errs...))
 	}
 	return nil
diff --git a/source_test.go b/source_test.go
@@ -97,6 +97,20 @@ func TestSourceGitSSH(t *testing.T) {
 		checkGitOp(t, ops, &src)
 	})
 
+	t.Run("with known hosts", func(t *testing.T) {
+		knownHosts := "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7"
+		src := Source{
+			Git: &SourceGit{
+				URL:           fmt.Sprintf("user@%s:test.git", addr),
+				Commit:        t.Name(),
+				SSHKnownHosts: knownHosts,
+			},
+		}
+
+		ops := getSourceOp(ctx, t, src)
+		checkGitOp(t, ops, &src)
+	})
+
 }
 
 func TestSourceGitHTTP(t *testing.T) {
@@ -1061,6 +1075,18 @@ func checkGitOp(t *testing.T, ops []*pb.Op, src *Source) {
 		}
 		assert.Check(t, cmp.Equal(op.Attrs["git.mountsshsock"], ssh), op)
 	}
+
+	// Check known hosts if set
+	if src.Git.SSHKnownHosts != "" {
+		// BuildKit's KnownSSHHosts option may add formatting like newlines
+		actualKnownHosts := op.Attrs["git.knownsshhosts"]
+		expectedKnownHosts := src.Git.SSHKnownHosts
+
+		// Remove trailing whitespace for comparison since BuildKit may add formatting
+		actualTrimmed := strings.TrimSpace(actualKnownHosts)
+		expectedTrimmed := strings.TrimSpace(expectedKnownHosts)
+		assert.Check(t, cmp.Equal(actualTrimmed, expectedTrimmed), "Expected: %q, Got: %q", expectedKnownHosts, actualKnownHosts)
+	}
 }
 
 func checkGitAuth(t *testing.T, m map[string]*pb.Op, ops []*pb.Op, src *Source, expectedNumSecrets, expectedNumSSH int) {
diff --git a/website/docs/sources.md b/website/docs/sources.md
@@ -95,6 +95,28 @@ git auth section (shown below with default values):
 Note: These are secret names which are used to reference the secrets provided
 by the client, not the actual secret values.
 
+#### SSH Known Hosts
+
+For SSH-based git URLs, you can specify known SSH host keys to improve security
+and avoid Trust-On-First-Use (TOFU) behavior. When known hosts are provided,
+the SSH connection will verify the host key against the specified keys and fail
+if they don't match.
+
+```yaml
+  someSource1:
+    git:
+      url: git@github.com:myOrg/myRepo.git
+      commit: 1234567890abcdef
+      sshKnownHosts: |
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7vbqbLJofwIHMHnSVPP0k+aLU6X5OtN6a1r9K4kS...
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+```
+
+When known hosts are not specified, BuildKit will use Trust-On-First-Use (TOFU)
+behavior, where it will connect to the SSH server, retrieve the host key, and 
+use that for the connection. Specifying known hosts avoids this extra connection
+and provides better security by ensuring you're connecting to the expected server.
+
 ### HTTP
 
 HTTP sources fetch a file from an HTTP URL. The HTTP source type is considered to be a "file" source.
