Merge pull request #2867 from crazy-max/v0.19_backport_entitlement-path-fix

[v0.19 backport] bake: change evaluation of entitlement paths

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 ARG GO_VERSION=1.23
-ARG XX_VERSION=1.5.0
+ARG XX_VERSION=1.6.1
 
 # for testing
 ARG DOCKER_VERSION=27.4.0-rc.2

bake/bake.go

@@ -193,7 +193,7 @@ func ListTargets(files []File) ([]string, error) {
 	return dedupSlice(targets), nil
 }
 
-func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, map[string]*Group, error) {
+func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string, ent *EntitlementConf) (map[string]*Target, map[string]*Group, error) {
 	c, _, err := ParseFiles(files, defaults)
 	if err != nil {
 		return nil, nil, err
@@ -212,7 +212,7 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 	for _, target := range targets {
 		ts, gs := c.ResolveGroup(target)
 		for _, tname := range ts {
-			t, err := c.ResolveTarget(tname, o)
+			t, err := c.ResolveTarget(tname, o, ent)
 			if err != nil {
 				return nil, nil, err
 			}
@@ -244,7 +244,7 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 	}
 
 	for name, t := range m {
-		if err := c.loadLinks(name, t, m, o, nil); err != nil {
+		if err := c.loadLinks(name, t, m, o, nil, ent); err != nil {
 			return nil, nil, err
 		}
 	}
@@ -476,7 +476,7 @@ func (c Config) expandTargets(pattern string) ([]string, error) {
 	return names, nil
 }
 
-func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[string]map[string]Override, visited []string) error {
+func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[string]map[string]Override, visited []string, ent *EntitlementConf) error {
 	visited = append(visited, name)
 	for _, v := range t.Contexts {
 		if strings.HasPrefix(v, "target:") {
@@ -492,7 +492,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 			t2, ok := m[target]
 			if !ok {
 				var err error
-				t2, err = c.ResolveTarget(target, o)
+				t2, err = c.ResolveTarget(target, o, ent)
 				if err != nil {
 					return err
 				}
@@ -500,7 +500,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 				t2.linked = true
 				m[target] = t2
 			}
-			if err := c.loadLinks(target, t2, m, o, visited); err != nil {
+			if err := c.loadLinks(target, t2, m, o, visited, ent); err != nil {
 				return err
 			}
 
@@ -627,8 +627,8 @@ func (c Config) group(name string, visited map[string]visit) ([]string, []string
 	return targets, groups
 }
 
-func (c Config) ResolveTarget(name string, overrides map[string]map[string]Override) (*Target, error) {
+func (c Config) ResolveTarget(name string, overrides map[string]map[string]Override, ent *EntitlementConf) (*Target, error) {
-	t, err := c.target(name, map[string]*Target{}, overrides)
+	t, err := c.target(name, map[string]*Target{}, overrides, ent)
 	if err != nil {
 		return nil, err
 	}
@@ -644,7 +644,7 @@ func (c Config) ResolveTarget(name string, overrides map[string]map[string]Overr
 	return t, nil
 }
 
-func (c Config) target(name string, visited map[string]*Target, overrides map[string]map[string]Override) (*Target, error) {
+func (c Config) target(name string, visited map[string]*Target, overrides map[string]map[string]Override, ent *EntitlementConf) (*Target, error) {
 	if t, ok := visited[name]; ok {
 		return t, nil
 	}
@@ -661,7 +661,7 @@ func (c Config) target(name string, visited map[string]*Target, overrides map[st
 	}
 	tt := &Target{}
 	for _, name := range t.Inherits {
-		t, err := c.target(name, visited, overrides)
+		t, err := c.target(name, visited, overrides, ent)
 		if err != nil {
 			return nil, err
 		}
@@ -673,7 +673,7 @@ func (c Config) target(name string, visited map[string]*Target, overrides map[st
 	m.Merge(tt)
 	m.Merge(t)
 	tt = m
-	if err := tt.AddOverrides(overrides[name]); err != nil {
+	if err := tt.AddOverrides(overrides[name], ent); err != nil {
 		return nil, err
 	}
 	tt.normalize()
@@ -856,7 +856,7 @@ func (t *Target) Merge(t2 *Target) {
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }
 
-func (t *Target) AddOverrides(overrides map[string]Override) error {
+func (t *Target) AddOverrides(overrides map[string]Override, ent *EntitlementConf) error {
 	for key, o := range overrides {
 		value := o.Value
 		keys := strings.SplitN(key, ".", 2)
@@ -893,22 +893,76 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.Tags = o.ArrValue
 		case "cache-from":
 			t.CacheFrom = o.ArrValue
+			cacheFrom, err := buildflags.ParseCacheEntry(o.ArrValue)
+			if err != nil {
+				return err
+			}
+			for _, c := range cacheFrom {
+				if c.Type == "local" {
+					if v, ok := c.Attrs["src"]; ok {
+						ent.FSRead = append(ent.FSRead, v)
+					}
+				}
+			}
 		case "cache-to":
 			t.CacheTo = o.ArrValue
+			cacheTo, err := buildflags.ParseCacheEntry(o.ArrValue)
+			if err != nil {
+				return err
+			}
+			for _, c := range cacheTo {
+				if c.Type == "local" {
+					if v, ok := c.Attrs["dest"]; ok {
+						ent.FSWrite = append(ent.FSWrite, v)
+					}
+				}
+			}
 		case "target":
 			t.Target = &value
 		case "call":
 			t.Call = &value
 		case "secrets":
 			t.Secrets = o.ArrValue
+			secrets, err := buildflags.ParseSecretSpecs(o.ArrValue)
+			if err != nil {
+				return errors.Wrap(err, "invalid value for outputs")
+			}
+			for _, s := range secrets {
+				if s.FilePath != "" {
+					ent.FSRead = append(ent.FSRead, s.FilePath)
+				}
+			}
 		case "ssh":
 			t.SSH = o.ArrValue
+			ssh, err := buildflags.ParseSSHSpecs(o.ArrValue)
+			if err != nil {
+				return errors.Wrap(err, "invalid value for outputs")
+			}
+			for _, s := range ssh {
+				ent.FSRead = append(ent.FSRead, s.Paths...)
+			}
 		case "platform":
 			t.Platforms = o.ArrValue
 		case "output":
 			t.Outputs = o.ArrValue
+			outputs, err := buildflags.ParseExports(o.ArrValue)
+			if err != nil {
+				return errors.Wrap(err, "invalid value for outputs")
+			}
+			for _, o := range outputs {
+				if o.Destination != "" {
+					ent.FSWrite = append(ent.FSWrite, o.Destination)
+				}
+			}
 		case "entitlements":
 			t.Entitlements = append(t.Entitlements, o.ArrValue...)
+			for _, v := range o.ArrValue {
+				if v == string(EntitlementKeyNetworkHost) {
+					ent.NetworkHost = true
+				} else if v == string(EntitlementKeySecurityInsecure) {
+					ent.SecurityInsecure = true
+				}
+			}
 		case "annotations":
 			t.Annotations = append(t.Annotations, o.ArrValue...)
 		case "attest":
@@ -1329,7 +1383,8 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if err != nil {
 		return nil, err
 	}
-	bo.Exports, err = controllerapi.CreateExports(outputs)
+
+	bo.Exports, bo.ExportsLocalPathsTemporary, err = controllerapi.CreateExports(outputs)
 	if err != nil {
 		return nil, err
 	}

bake/bake_test.go

@@ -40,7 +40,7 @@ target "webapp" {
 
 	t.Run("NoOverrides", func(t *testing.T) {
 		t.Parallel()
-		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, nil, nil)
+		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m))
 
@@ -58,7 +58,7 @@ target "webapp" {
 
 	t.Run("InvalidTargetOverrides", func(t *testing.T) {
 		t.Parallel()
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"nosuchtarget.context=foo"}, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"nosuchtarget.context=foo"}, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Equal(t, "could not find any target matching 'nosuchtarget'", err.Error())
 	})
@@ -74,7 +74,7 @@ target "webapp" {
 				"webapp.args.VAR_FROMENV" + t.Name(),
 				"webapp.args.VAR_INHERITED=override",
 				// not overriding VAR_BOTH on purpose
-			}, nil)
+			}, nil, &EntitlementConf{})
 			require.NoError(t, err)
 
 			require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
@@ -103,7 +103,7 @@ target "webapp" {
 			m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{
 				"webDEP.args.VAR_INHERITED=override",
 				"webDEP.args.VAR_BOTH=override",
-			}, nil)
+			}, nil, &EntitlementConf{})
 
 			require.NoError(t, err)
 			require.Equal(t, ptrstr("override"), m["webapp"].Args["VAR_INHERITED"])
@@ -115,10 +115,10 @@ target "webapp" {
 
 	t.Run("ContextOverride", func(t *testing.T) {
 		t.Parallel()
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.context"}, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.context"}, nil, &EntitlementConf{})
 		require.Error(t, err)
 
-		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.context=foo"}, nil)
+		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.context=foo"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, "foo", *m["webapp"].Context)
 		require.Equal(t, 1, len(g))
@@ -127,7 +127,7 @@ target "webapp" {
 
 	t.Run("NoCacheOverride", func(t *testing.T) {
 		t.Parallel()
-		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.no-cache=false"}, nil)
+		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.no-cache=false"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, false, *m["webapp"].NoCache)
 		require.Equal(t, 1, len(g))
@@ -135,14 +135,14 @@ target "webapp" {
 	})
 
 	t.Run("ShmSizeOverride", func(t *testing.T) {
-		m, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.shm-size=256m"}, nil)
+		m, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.shm-size=256m"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, "256m", *m["webapp"].ShmSize)
 	})
 
 	t.Run("PullOverride", func(t *testing.T) {
 		t.Parallel()
-		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.pull=false"}, nil)
+		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.pull=false"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, false, *m["webapp"].Pull)
 		require.Equal(t, 1, len(g))
@@ -210,7 +210,7 @@ target "webapp" {
 		}
 		for _, test := range cases {
 			t.Run(test.name, func(t *testing.T) {
-				m, g, err := ReadTargets(ctx, []File{fp}, test.targets, test.overrides, nil)
+				m, g, err := ReadTargets(ctx, []File{fp}, test.targets, test.overrides, nil, &EntitlementConf{})
 				test.check(t, m, g, err)
 			})
 		}
@@ -225,7 +225,7 @@ func TestPushOverride(t *testing.T) {
 				`target "app" {
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, "type=image,push=true", m["app"].Outputs[0])
@@ -239,7 +239,7 @@ func TestPushOverride(t *testing.T) {
 				output = ["type=image,compression=zstd"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, "type=image,compression=zstd,push=true", m["app"].Outputs[0])
@@ -253,7 +253,7 @@ func TestPushOverride(t *testing.T) {
 				output = ["type=image,compression=zstd"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, "type=image,compression=zstd,push=false", m["app"].Outputs[0])
@@ -267,7 +267,7 @@ func TestPushOverride(t *testing.T) {
 				output = ["type=registry"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, "type=registry", m["app"].Outputs[0])
@@ -281,7 +281,7 @@ func TestPushOverride(t *testing.T) {
 				output = ["type=registry"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 0, len(m["app"].Outputs))
 	})
@@ -296,7 +296,7 @@ func TestPushOverride(t *testing.T) {
 			target "bar" {
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m))
 		require.Equal(t, 1, len(m["foo"].Outputs))
@@ -314,7 +314,7 @@ func TestLoadOverride(t *testing.T) {
 				`target "app" {
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, "type=docker", m["app"].Outputs[0])
@@ -328,7 +328,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=docker"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=docker"}, m["app"].Outputs)
@@ -342,7 +342,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=image"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=image", "type=docker"}, m["app"].Outputs)
@@ -356,7 +356,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=image"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=false"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=false"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=image"}, m["app"].Outputs)
@@ -370,7 +370,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=registry"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=registry", "type=docker"}, m["app"].Outputs)
@@ -384,7 +384,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=oci,dest=out"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=oci,dest=out", "type=docker"}, m["app"].Outputs)
@@ -398,7 +398,7 @@ func TestLoadOverride(t *testing.T) {
 				output = ["type=docker,dest=out"]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m["app"].Outputs))
 		require.Equal(t, []string{"type=docker,dest=out", "type=docker"}, m["app"].Outputs)
@@ -414,7 +414,7 @@ func TestLoadOverride(t *testing.T) {
 			target "bar" {
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m))
 		require.Equal(t, 1, len(m["foo"].Outputs))
@@ -435,7 +435,7 @@ func TestLoadAndPushOverride(t *testing.T) {
 			target "bar" {
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true", "*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true", "*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 2, len(m))
 
@@ -456,7 +456,7 @@ func TestLoadAndPushOverride(t *testing.T) {
 		  		output = [ "type=registry" ]
 			}`),
 		}
-		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo"}, []string{"*.load=true", "*.push=true"}, nil)
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo"}, []string{"*.load=true", "*.push=true"}, nil, &EntitlementConf{})
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m))
 
@@ -512,7 +512,7 @@ services:
 
 	ctx := context.TODO()
 
-	m, g, err := ReadTargets(ctx, []File{fp, fp2, fp3}, []string{"default"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp, fp2, fp3}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 3, len(m))
@@ -559,7 +559,7 @@ services:
 
 	ctx := context.TODO()
 
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"web.app"}, nil, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"web.app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(m))
 	_, ok := m["web_app"]
@@ -567,7 +567,7 @@ services:
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
 	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])
 
-	m, _, err = ReadTargets(ctx, []File{fp2}, []string{"web_app"}, nil, nil)
+	m, _, err = ReadTargets(ctx, []File{fp2}, []string{"web_app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(m))
 	_, ok = m["web_app"]
@@ -575,7 +575,7 @@ services:
 	require.Equal(t, "Dockerfile", *m["web_app"].Dockerfile)
 	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])
 
-	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(m))
 	_, ok = m["web_app"]
@@ -600,7 +600,7 @@ func TestHCLContextCwdPrefix(t *testing.T) {
 			}`),
 	}
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -631,7 +631,7 @@ func TestHCLDockerfileCwdPrefix(t *testing.T) {
 	cwd, err := os.Getwd()
 	require.NoError(t, err)
 
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -662,7 +662,7 @@ func TestOverrideMerge(t *testing.T) {
 		"app.platform=linux/arm",
 		"app.platform=linux/ppc64le",
 		"app.output=type=registry",
-	}, nil)
+	}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -697,7 +697,7 @@ func TestReadContexts(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -713,7 +713,7 @@ func TestReadContexts(t *testing.T) {
 	require.Equal(t, "baz", ctxs["foo"].Path)
 	require.Equal(t, "def", ctxs["abc"].Path)
 
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"app.contexts.foo=bay", "base.contexts.ghi=jkl"}, nil)
+	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"app.contexts.foo=bay", "base.contexts.ghi=jkl"}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -731,7 +731,7 @@ func TestReadContexts(t *testing.T) {
 	require.Equal(t, "jkl", ctxs["ghi"].Path)
 
 	// test resetting base values
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"app.contexts.foo="}, nil)
+	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"app.contexts.foo="}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -766,7 +766,7 @@ func TestReadContextFromTargetUnknown(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil)
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil, &EntitlementConf{})
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to find target bar")
 }
@@ -790,7 +790,7 @@ services:
 
 	ctx := context.TODO()
 
-	m, _, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app1", "app2"}, nil, nil)
+	m, _, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app1", "app2"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 2, len(m))
@@ -828,7 +828,7 @@ func TestReadContextFromTargetChain(t *testing.T) {
 		`),
 	}
 
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 3, len(m))
@@ -867,7 +867,7 @@ func TestReadContextFromTargetInfiniteLoop(t *testing.T) {
 		}
 		`),
 	}
-	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app", "mid"}, []string{}, nil)
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app", "mid"}, []string{}, nil, &EntitlementConf{})
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "infinite loop from")
 }
@@ -889,7 +889,7 @@ func TestReadContextFromTargetMultiPlatform(t *testing.T) {
 		}
 		`),
 	}
-	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil)
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 }
 
@@ -910,7 +910,7 @@ func TestReadContextFromTargetInvalidPlatforms(t *testing.T) {
 		}
 		`),
 	}
-	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil)
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{}, nil, &EntitlementConf{})
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "defined for different platforms")
 }
@@ -926,7 +926,7 @@ target "default" {
   dockerfile = "test"
 }`)}
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"default"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 0, len(g))
 	require.Equal(t, 1, len(m))
@@ -944,10 +944,10 @@ target "image" {
   dockerfile = "test"
 }`)}
 
-	_, _, err := ReadTargets(ctx, []File{f}, []string{"default"}, nil, nil)
+	_, _, err := ReadTargets(ctx, []File{f}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.Error(t, err)
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"image"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"image"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image"}, g["default"].Targets)
@@ -969,7 +969,7 @@ target "image" {
   dockerfile = "test"
 }`)}
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -995,7 +995,7 @@ target "image" {
   dockerfile = "test"
 }`)}
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -1003,7 +1003,7 @@ target "image" {
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "test", *m["image"].Dockerfile)
 
-	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -1083,7 +1083,7 @@ services:
 	 }
 	}`)}
 
-	m, g, err := ReadTargets(ctx, []File{fhcl}, []string{"default"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fhcl}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image"}, g["default"].Targets)
@@ -1091,7 +1091,7 @@ services:
 	require.Equal(t, 1, len(m["image"].Outputs))
 	require.Equal(t, "type=docker", m["image"].Outputs[0])
 
-	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image-release"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image-release"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image-release"}, g["default"].Targets)
@@ -1099,7 +1099,7 @@ services:
 	require.Equal(t, 1, len(m["image-release"].Outputs))
 	require.Equal(t, "type=image,push=true", m["image-release"].Outputs[0])
 
-	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image", "image-release"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image", "image-release"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image", "image-release"}, g["default"].Targets)
@@ -1108,21 +1108,21 @@ services:
 	require.Equal(t, 1, len(m["image-release"].Outputs))
 	require.Equal(t, "type=image,push=true", m["image-release"].Outputs[0])
 
-	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"default"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, ".", *m["image"].Context)
 
-	m, g, err = ReadTargets(ctx, []File{fjson}, []string{"default"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fjson}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, ".", *m["image"].Context)
 
-	m, g, err = ReadTargets(ctx, []File{fyml}, []string{"default"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fyml}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	sort.Strings(g["default"].Targets)
@@ -1131,7 +1131,7 @@ services:
 	require.Equal(t, "./Dockerfile", *m["addon"].Dockerfile)
 	require.Equal(t, "./aws.Dockerfile", *m["aws"].Dockerfile)
 
-	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	sort.Strings(g["default"].Targets)
@@ -1140,7 +1140,7 @@ services:
 	require.Equal(t, "./Dockerfile", *m["addon"].Dockerfile)
 	require.Equal(t, "./aws.Dockerfile", *m["aws"].Dockerfile)
 
-	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws", "image"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws", "image"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
 	sort.Strings(g["default"].Targets)
@@ -1168,7 +1168,7 @@ target "image" {
   output = ["type=docker"]
 }`)}
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -1176,7 +1176,7 @@ target "image" {
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "bar", *m["foo"].Dockerfile)
 
-	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -1202,7 +1202,7 @@ target "image" {
   output = ["type=docker"]
 }`)}
 
-	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo"}, g["default"].Targets)
@@ -1211,7 +1211,7 @@ target "image" {
 	require.Equal(t, "bar", *m["foo"].Dockerfile)
 	require.Equal(t, "type=docker", m["image"].Outputs[0])
 
-	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "image"}, nil, nil)
+	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "image"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 	require.Equal(t, 2, len(g))
 	require.Equal(t, []string{"foo", "image"}, g["default"].Targets)
@@ -1273,7 +1273,7 @@ target "d" {
 	for _, tt := range cases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			m, g, err := ReadTargets(ctx, []File{f}, []string{"d"}, tt.overrides, nil)
+			m, g, err := ReadTargets(ctx, []File{f}, []string{"d"}, tt.overrides, nil, &EntitlementConf{})
 			require.NoError(t, err)
 			require.Equal(t, 1, len(g))
 			require.Equal(t, []string{"d"}, g["default"].Targets)
@@ -1345,7 +1345,7 @@ group "default" {
 	for _, tt := range cases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			m, g, err := ReadTargets(ctx, []File{f}, []string{"default"}, tt.overrides, nil)
+			m, g, err := ReadTargets(ctx, []File{f}, []string{"default"}, tt.overrides, nil, &EntitlementConf{})
 			require.NoError(t, err)
 			require.Equal(t, 1, len(g))
 			require.Equal(t, []string{"child1", "child2"}, g["default"].Targets)
@@ -1403,7 +1403,7 @@ func TestTargetName(t *testing.T) {
 			_, _, err := ReadTargets(ctx, []File{{
 				Name: "docker-bake.hcl",
 				Data: []byte(`target "` + tt.target + `" {}`),
-			}}, []string{tt.target}, nil, nil)
+			}}, []string{tt.target}, nil, nil, &EntitlementConf{})
 			if tt.wantErr {
 				require.Error(t, err)
 			} else {
@@ -1490,7 +1490,7 @@ target "f" {
 	for _, tt := range cases {
 		tt := tt
 		t.Run(strings.Join(tt.names, "+"), func(t *testing.T) {
-			m, g, err := ReadTargets(ctx, []File{f}, tt.names, nil, nil)
+			m, g, err := ReadTargets(ctx, []File{f}, tt.names, nil, nil, &EntitlementConf{})
 			require.NoError(t, err)
 
 			var gnames []string
@@ -1567,7 +1567,7 @@ func TestHCLNullVars(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -1602,7 +1602,7 @@ func TestJSONNullVars(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(m))
@@ -1677,7 +1677,7 @@ func TestAttestDuplicates(t *testing.T) {
 	}
 	ctx := context.TODO()
 
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil, &EntitlementConf{})
 	require.Equal(t, []string{"type=sbom,foo=bar", "type=provenance,mode=max"}, m["default"].Attest)
 	require.NoError(t, err)
 
@@ -1688,7 +1688,7 @@ func TestAttestDuplicates(t *testing.T) {
 		"provenance": ptrstr("type=provenance,mode=max"),
 	}, opts["default"].Attests)
 
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"default"}, []string{"*.attest=type=sbom,disabled=true"}, nil)
+	m, _, err = ReadTargets(ctx, []File{fp}, []string{"default"}, []string{"*.attest=type=sbom,disabled=true"}, nil, &EntitlementConf{})
 	require.Equal(t, []string{"type=sbom,disabled=true", "type=provenance,mode=max"}, m["default"].Attest)
 	require.NoError(t, err)
 
@@ -1710,7 +1710,7 @@ func TestAnnotations(t *testing.T) {
 			}`),
 	}
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -1737,7 +1737,7 @@ func TestHCLEntitlements(t *testing.T) {
 			}`),
 	}
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -1777,7 +1777,7 @@ func TestEntitlementsForNetHostCompose(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -1808,7 +1808,7 @@ func TestEntitlementsForNetHost(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -1839,7 +1839,7 @@ func TestNetNone(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 	require.NoError(t, err)
 
 	bo, err := TargetsToBuildOpt(m, &Input{})
@@ -1879,12 +1879,12 @@ target "app" {
 
 	t.Run("Valid", func(t *testing.T) {
 		t.Setenv("FOO", "bar")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 	})
 
 	t.Run("Invalid", func(t *testing.T) {
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "FOO is required.")
 	})
@@ -1916,19 +1916,19 @@ target "app" {
 
 	t.Run("Valid", func(t *testing.T) {
 		t.Setenv("FOO", "barbar")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 	})
 
 	t.Run("InvalidLength", func(t *testing.T) {
 		t.Setenv("FOO", "bar")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "FOO must be longer than 4 characters.")
 	})
 
 	t.Run("InvalidEmpty", func(t *testing.T) {
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "FOO is required.")
 	})
@@ -1957,19 +1957,19 @@ target "app" {
 
 	t.Run("Valid", func(t *testing.T) {
 		t.Setenv("FOO", "bar")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 	})
 
 	t.Run("SetBar", func(t *testing.T) {
 		t.Setenv("FOO", "bar")
 		t.Setenv("BAR", "baz")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 	})
 
 	t.Run("Invalid", func(t *testing.T) {
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "BAR requires FOO to be set.")
 	})
@@ -1998,12 +1998,12 @@ target "app" {
 
 	t.Run("Valid", func(t *testing.T) {
 		t.Setenv("FOO", "10")
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.NoError(t, err)
 	})
 
 	t.Run("Invalid", func(t *testing.T) {
-		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+		_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "FOO must be greater than 5.")
 	})
@@ -2025,6 +2025,23 @@ target "app" {
 
 	ctx := context.TODO()
 
-	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil, &EntitlementConf{})
+	require.NoError(t, err)
+}
+
+// https://github.com/docker/buildx/issues/2858
+func TestOverrideEmpty(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(`
+target "app" {
+  output = ["./bin"]
+}
+`),
+	}
+
+	ctx := context.TODO()
+
+	_, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"app.output="}, nil, &EntitlementConf{})
 	require.NoError(t, err)
 }

bake/entitlements.go

@@ -19,6 +19,7 @@ import (
 	"github.com/docker/buildx/util/osutil"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 type EntitlementKey string
@@ -113,17 +114,8 @@ func (c EntitlementConf) check(bo build.Options, expected *EntitlementConf) erro
 		roPaths[p] = struct{}{}
 	}
 
-	for _, out := range bo.Exports {
+	for _, p := range bo.ExportsLocalPathsTemporary {
-		if out.Type == "local" {
+		rwPaths[p] = struct{}{}
-			if dest, ok := out.Attrs["dest"]; ok {
-				rwPaths[dest] = struct{}{}
-			}
-		}
-		if out.Type == "tar" {
-			if dest, ok := out.Attrs["dest"]; ok && dest != "-" {
-				rwPaths[dest] = struct{}{}
-			}
-		}
 	}
 
 	for _, ce := range bo.CacheTo {
@@ -453,12 +445,20 @@ func evaluatePaths(in []string) ([]string, bool, error) {
 		}
 		v, err := filepath.Abs(p)
 		if err != nil {
-			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+			logrus.Warnf("failed to evaluate entitlement path %q: %v", p, err)
+			continue
 		}
-		v, err = filepath.EvalSymlinks(v)
+		v, rest, err := evaluateToExistingPath(v)
 		if err != nil {
 			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
+		v, err = osutil.GetLongPathName(v)
+		if err != nil {
+			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+		}
+		if rest != "" {
+			v = filepath.Join(v, rest)
+		}
 		out = append(out, v)
 	}
 	return out, allowAny, nil
@@ -467,7 +467,7 @@ func evaluatePaths(in []string) ([]string, bool, error) {
 func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
 	m := make(map[string]struct{}, len(in))
 	for p := range in {
-		v, err := evaluateToExistingPath(p)
+		v, _, err := evaluateToExistingPath(p)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
@@ -480,10 +480,10 @@ func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error
 	return m, nil
 }
 
-func evaluateToExistingPath(in string) (string, error) {
+func evaluateToExistingPath(in string) (string, string, error) {
 	in, err := filepath.Abs(in)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 
 	volLen := volumeNameLen(in)
@@ -538,29 +538,29 @@ func evaluateToExistingPath(in string) (string, error) {
 			if os.IsNotExist(err) {
 				for r := len(dest) - 1; r >= volLen; r-- {
 					if os.IsPathSeparator(dest[r]) {
-						return dest[:r], nil
+						return dest[:r], in[start:], nil
 					}
 				}
-				return vol, nil
+				return vol, in[start:], nil
 			}
-			return "", err
+			return "", "", err
 		}
 
 		if fi.Mode()&fs.ModeSymlink == 0 {
 			if !fi.Mode().IsDir() && end < len(in) {
-				return "", syscall.ENOTDIR
+				return "", "", syscall.ENOTDIR
 			}
 			continue
 		}
 
 		linksWalked++
 		if linksWalked > 255 {
-			return "", errors.New("too many symlinks")
+			return "", "", errors.New("too many symlinks")
 		}
 
 		link, err := os.Readlink(dest)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
 
 		in = link + in[end:]
@@ -593,7 +593,7 @@ func evaluateToExistingPath(in string) (string, error) {
 			end = 0
 		}
 	}
-	return filepath.Clean(dest), nil
+	return filepath.Clean(dest), "", nil
 }
 
 func volumeNameLen(s string) int {

bake/entitlements_test.go

@@ -10,7 +10,6 @@ import (
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/osutil"
-	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/util/entitlements"
 	"github.com/stretchr/testify/require"
@@ -90,7 +89,7 @@ func TestEvaluateToExistingPath(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := evaluateToExistingPath(tt.input)
+			result, _, err := evaluateToExistingPath(tt.input)
 
 			if tt.expectErr {
 				require.Error(t, err)
@@ -279,25 +278,10 @@ func TestValidateEntitlements(t *testing.T) {
 		{
 			name: "ExportLocal",
 			opt: build.Options{
-				Exports: []client.ExportEntry{
+				ExportsLocalPathsTemporary: []string{
-					{
+					dir1,
-						Type: "local",
+					filepath.Join(dir1, "subdir"),
-						Attrs: map[string]string{
+					dir2,
-							"dest": dir1,
-						},
-					},
-					{
-						Type: "local",
-						Attrs: map[string]string{
-							"dest": filepath.Join(dir1, "subdir"),
-						},
-					},
-					{
-						Type: "local",
-						Attrs: map[string]string{
-							"dest": dir2,
-						},
-					},
 				},
 			},
 			expected: EntitlementConf{
@@ -357,7 +341,7 @@ func TestValidateEntitlements(t *testing.T) {
 						return nil
 					}
 					// if not, then escapeLink is not allowed
-					exp, err := evaluateToExistingPath(escapeLink)
+					exp, _, err := evaluateToExistingPath(escapeLink)
 					require.NoError(t, err)
 					exp, err = filepath.EvalSymlinks(exp)
 					require.NoError(t, err)
@@ -379,6 +363,48 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{},
 		},
+		{
+			name: "NonExistingAllowedPathSubpath",
+			opt: build.Options{
+				ExportsLocalPathsTemporary: []string{
+					dir1,
+				},
+			},
+			conf: EntitlementConf{
+				FSRead:  []string{wd},
+				FSWrite: []string{filepath.Join(dir1, "not/exists")},
+			},
+			expected: EntitlementConf{
+				FSWrite: []string{expDir1}, // dir1 is still needed as only subpath was allowed
+			},
+		},
+		{
+			name: "NonExistingAllowedPathMatches",
+			opt: build.Options{
+				ExportsLocalPathsTemporary: []string{
+					filepath.Join(dir1, "not/exists"),
+				},
+			},
+			conf: EntitlementConf{
+				FSRead:  []string{wd},
+				FSWrite: []string{filepath.Join(dir1, "not/exists")},
+			},
+			expected: EntitlementConf{
+				FSWrite: []string{expDir1}, // dir1 is still needed as build also needs to write not/exists directory
+			},
+		},
+		{
+			name: "NonExistingBuildPath",
+			opt: build.Options{
+				ExportsLocalPathsTemporary: []string{
+					filepath.Join(dir1, "not/exists"),
+				},
+			},
+			conf: EntitlementConf{
+				FSRead:  []string{wd},
+				FSWrite: []string{dir1},
+			},
+		},
 	}
 
 	for _, tc := range tcases {

build/build.go

@@ -70,6 +70,7 @@ type Options struct {
 	CacheTo                    []client.CacheOptionsEntry
 	CgroupParent               string
 	Exports                    []client.ExportEntry
+	ExportsLocalPathsTemporary []string // should be removed after client.ExportEntry update in buildkit v0.19.0
 	ExtraHosts                 []string
 	Labels                     map[string]string
 	NetworkMode                string

commands/bake.go

@@ -199,7 +199,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		}
 	}
 
-	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, defaults)
+	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, defaults, &ent)
 	if err != nil {
 		return err
 	}

controller/build/build.go

@@ -93,7 +93,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in *controllerapi.Buil
 	}
 	opts.Session = append(opts.Session, ssh)
 
-	outputs, err := controllerapi.CreateExports(in.Exports)
+	outputs, _, err := controllerapi.CreateExports(in.Exports)
 	if err != nil {
 		return nil, nil, nil, err
 	}

controller/pb/export.go

@@ -10,15 +10,16 @@ import (
 	"github.com/pkg/errors"
 )
 
-func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
+func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, []string, error) {
 	var outs []client.ExportEntry
+	var localPaths []string
 	if len(entries) == 0 {
-		return nil, nil
+		return nil, nil, nil
 	}
 	var stdoutUsed bool
 	for _, entry := range entries {
 		if entry.Type == "" {
-			return nil, errors.Errorf("type is required for output")
+			return nil, nil, errors.Errorf("type is required for output")
 		}
 
 		out := client.ExportEntry{
@@ -49,20 +50,21 @@ func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
 
 		if supportDir {
 			if entry.Destination == "" {
-				return nil, errors.Errorf("dest is required for %s exporter", out.Type)
+				return nil, nil, errors.Errorf("dest is required for %s exporter", out.Type)
 			}
 			if entry.Destination == "-" {
-				return nil, errors.Errorf("dest cannot be stdout for %s exporter", out.Type)
+				return nil, nil, errors.Errorf("dest cannot be stdout for %s exporter", out.Type)
 			}
 
 			fi, err := os.Stat(entry.Destination)
 			if err != nil && !os.IsNotExist(err) {
-				return nil, errors.Wrapf(err, "invalid destination directory: %s", entry.Destination)
+				return nil, nil, errors.Wrapf(err, "invalid destination directory: %s", entry.Destination)
 			}
 			if err == nil && !fi.IsDir() {
-				return nil, errors.Errorf("destination directory %s is a file", entry.Destination)
+				return nil, nil, errors.Errorf("destination directory %s is a file", entry.Destination)
 			}
 			out.OutputDir = entry.Destination
+			localPaths = append(localPaths, entry.Destination)
 		}
 		if supportFile {
 			if entry.Destination == "" && out.Type != client.ExporterDocker {
@@ -70,32 +72,33 @@ func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
 			}
 			if entry.Destination == "-" {
 				if stdoutUsed {
-					return nil, errors.Errorf("multiple outputs configured to write to stdout")
+					return nil, nil, errors.Errorf("multiple outputs configured to write to stdout")
 				}
 				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
-					return nil, errors.Errorf("dest file is required for %s exporter. refusing to write to console", out.Type)
+					return nil, nil, errors.Errorf("dest file is required for %s exporter. refusing to write to console", out.Type)
 				}
 				out.Output = wrapWriteCloser(os.Stdout)
 				stdoutUsed = true
 			} else if entry.Destination != "" {
 				fi, err := os.Stat(entry.Destination)
 				if err != nil && !os.IsNotExist(err) {
-					return nil, errors.Wrapf(err, "invalid destination file: %s", entry.Destination)
+					return nil, nil, errors.Wrapf(err, "invalid destination file: %s", entry.Destination)
 				}
 				if err == nil && fi.IsDir() {
-					return nil, errors.Errorf("destination file %s is a directory", entry.Destination)
+					return nil, nil, errors.Errorf("destination file %s is a directory", entry.Destination)
 				}
 				f, err := os.Create(entry.Destination)
 				if err != nil {
-					return nil, errors.Errorf("failed to open %s", err)
+					return nil, nil, errors.Errorf("failed to open %s", err)
 				}
 				out.Output = wrapWriteCloser(f)
+				localPaths = append(localPaths, entry.Destination)
 			}
 		}
 
 		outs = append(outs, out)
 	}
-	return outs, nil
+	return outs, localPaths, nil
 }
 
 func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {

tests/bake.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -46,6 +47,14 @@ var bakeTests = []func(t *testing.T, sb integration.Sandbox){
 	testBakeRemoteDockerfileCwd,
 	testBakeRemoteLocalContextRemoteDockerfile,
 	testBakeEmpty,
+	testBakeSetNonExistingSubdirNoParallel,
+	testBakeSetNonExistingOutsideNoParallel,
+	testBakeSetExistingOutsideNoParallel,
+	testBakeDefinitionNotExistingSubdirNoParallel,
+	testBakeDefinitionNotExistingOutsideNoParallel,
+	testBakeDefinitionExistingOutsideNoParallel,
+	testBakeDefinitionSymlinkOutsideNoParallel,
+	testBakeDefinitionSymlinkOutsideGrantedNoParallel,
 	testBakeShmSize,
 	testBakeUlimits,
 	testBakeMetadataProvenance,
@@ -705,6 +714,261 @@ target "default" {
 	require.Contains(t, string(dt), `size=131072k`)
 }
 
+func testBakeSetNonExistingSubdirNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			bakefile := []byte(`
+target "default" {
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+filepath.Join(dir, "not/exists")))
+			out, err := cmd.CombinedOutput()
+			require.NoError(t, err, string(out))
+			require.Contains(t, string(out), `#1 [internal] load local bake definitions`)
+			require.Contains(t, string(out), `#1 reading docker-bake.hcl`)
+
+			require.FileExists(t, filepath.Join(dir, "not/exists/foo"))
+		})
+	}
+}
+func testBakeSetNonExistingOutsideNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			bakefile := []byte(`
+target "default" {
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			destDir := t.TempDir()
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+filepath.Join(destDir, "not/exists")))
+			out, err := cmd.CombinedOutput()
+			if ent {
+				require.Error(t, err, string(out))
+				require.Contains(t, string(out), "ERROR: additional privileges requested")
+			} else {
+				require.NoError(t, err, string(out))
+				require.FileExists(t, filepath.Join(destDir, "not/exists/foo"))
+			}
+		})
+	}
+}
+
+func testBakeSetExistingOutsideNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			bakefile := []byte(`
+target "default" {
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			destDir := t.TempDir()
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--set", "*.output=type=local,dest="+destDir))
+			out, err := cmd.CombinedOutput()
+			// existing directory via --set is always allowed
+			require.NoError(t, err, string(out))
+			require.FileExists(t, filepath.Join(destDir, "foo"))
+		})
+	}
+}
+
+func testBakeDefinitionNotExistingSubdirNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			bakefile := []byte(`
+target "default" {
+	output = ["type=local,dest=not/exists"]
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain"))
+			out, err := cmd.CombinedOutput()
+			// subdirs of working directory are always allowed
+			require.NoError(t, err, string(out))
+			require.FileExists(t, filepath.Join(dir, "not/exists/foo"))
+		})
+	}
+}
+
+func testBakeDefinitionNotExistingOutsideNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			destDir := t.TempDir()
+			bakefile := []byte(fmt.Sprintf(`
+target "default" {
+	output = ["type=local,dest=%s/not/exists"]
+}
+`, destDir))
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain"))
+			out, err := cmd.CombinedOutput()
+			if ent {
+				require.Error(t, err, string(out))
+				require.Contains(t, string(out), "ERROR: additional privileges requested")
+			} else {
+				require.NoError(t, err, string(out))
+				require.FileExists(t, filepath.Join(destDir, "not/exists/foo"))
+			}
+		})
+	}
+}
+
+func testBakeDefinitionExistingOutsideNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			destDir := t.TempDir()
+			bakefile := []byte(fmt.Sprintf(`
+target "default" {
+	output = ["type=local,dest=%s"]
+}
+`, destDir))
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain"))
+			out, err := cmd.CombinedOutput()
+			if ent {
+				require.Error(t, err, string(out))
+				require.Contains(t, string(out), "ERROR: additional privileges requested")
+			} else {
+				require.NoError(t, err, string(out))
+				require.FileExists(t, filepath.Join(destDir, "foo"))
+			}
+		})
+	}
+}
+
+func testBakeDefinitionSymlinkOutsideNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			destDir := t.TempDir()
+			bakefile := []byte(`
+target "default" {
+	output = ["type=local,dest=out"]
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+				fstest.Symlink(destDir, "out"),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain"))
+			out, err := cmd.CombinedOutput()
+			if ent {
+				require.Error(t, err, string(out))
+				require.Contains(t, string(out), "ERROR: additional privileges requested")
+			} else {
+				require.NoError(t, err, string(out))
+				require.FileExists(t, filepath.Join(destDir, "foo"))
+			}
+		})
+	}
+}
+
+func testBakeDefinitionSymlinkOutsideGrantedNoParallel(t *testing.T, sb integration.Sandbox) {
+	for _, ent := range []bool{true, false} {
+		t.Run(fmt.Sprintf("ent=%v", ent), func(t *testing.T) {
+			t.Setenv("BUILDX_BAKE_ENTITLEMENTS_FS", strconv.FormatBool(ent))
+			dockerfile := []byte(`
+FROM scratch
+COPY foo /foo
+	`)
+			destDir := t.TempDir()
+			bakefile := []byte(`
+target "default" {
+	output = ["type=local,dest=out"]
+}
+`)
+			dir := tmpdir(
+				t,
+				fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+				fstest.CreateFile("Dockerfile", dockerfile, 0600),
+				fstest.CreateFile("foo", []byte("foo"), 0600),
+				fstest.Symlink(destDir, "out"),
+			)
+
+			cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--progress=plain", "--allow", "fs.write="+destDir))
+			out, err := cmd.CombinedOutput()
+			require.NoError(t, err, string(out))
+			require.FileExists(t, filepath.Join(destDir, "foo"))
+		})
+	}
+}
+
 func testBakeUlimits(t *testing.T, sb integration.Sandbox) {
 	dockerfile := []byte(`
 FROM busybox AS build

util/buildflags/cache.go

@@ -14,6 +14,9 @@ import (
 func ParseCacheEntry(in []string) ([]*controllerapi.CacheOptionsEntry, error) {
 	outs := make([]*controllerapi.CacheOptionsEntry, 0, len(in))
 	for _, in := range in {
+		if in == "" {
+			continue
+		}
 		fields, err := csvvalue.Fields(in, nil)
 		if err != nil {
 			return nil, err

util/buildflags/export.go

@@ -19,6 +19,9 @@ func ParseExports(inp []string) ([]*controllerapi.ExportEntry, error) {
 		return nil, nil
 	}
 	for _, s := range inp {
+		if s == "" {
+			continue
+		}
 		fields, err := csvvalue.Fields(s, nil)
 		if err != nil {
 			return nil, err

util/buildflags/secrets.go

@@ -11,6 +11,9 @@ import (
 func ParseSecretSpecs(sl []string) ([]*controllerapi.Secret, error) {
 	fs := make([]*controllerapi.Secret, 0, len(sl))
 	for _, v := range sl {
+		if v == "" {
+			continue
+		}
 		s, err := parseSecret(v)
 		if err != nil {
 			return nil, err

util/buildflags/ssh.go

@@ -14,6 +14,9 @@ func ParseSSHSpecs(sl []string) ([]*controllerapi.SSH, error) {
 	}
 
 	for _, s := range sl {
+		if s == "" {
+			continue
+		}
 		parts := strings.SplitN(s, "=", 2)
 		out := controllerapi.SSH{
 			ID: parts[0],