https://docs.docker.com/build/policies - #Docker build policies written in #Rego validate #container build conditions and fail if not met. Just put a Dockerfile.rego next to the Dockerfile (or {filename}.rego to match Dockerfile location) and it'll pick it up. No build flags necessary.