buildpacks · runesoerensen · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -115,11 +115,29 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
+
+	// Collect all trusted builder names
+	var trustedBuilderNames []string
+
+	// Add known trusted builders
+	for _, knownBuilder := range KnownBuilders {
+		if knownBuilder.Trusted {
+			trustedBuilderNames = append(trustedBuilderNames, knownBuilder.Image)
+		}
+	}
+
+	// Add user-configured trusted builders
 	for _, trustedBuilder := range cfg.TrustedBuilders {
-		trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag(""))
+		trustedBuilderNames = append(trustedBuilderNames, trustedBuilder.Name)
+	}
+
+	// Check if builder matches any trusted builder
+	for _, trustedBuilderName := range trustedBuilderNames {
+		trustedBuilderReference, err := name.ParseReference(trustedBuilderName, name.WithDefaultTag(""))
 		if err != nil {
 			return false, err
 		}
+
 		if trustedBuilderReference.Identifier() != "" {
 			if builderReference.Name() == trustedBuilderReference.Name() {
 				return true, nil
@@ -130,5 +148,6 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) {
 			}
 		}
 	}
+
 	return false, nil
 }
@@ -30,6 +30,23 @@ func trustedBuilder(t *testing.T, when spec.G, it spec.S) {
 	})
 
 	when("IsTrustedBuilder", func() {
+		it("trusts known trusted builders", func() {
+			// Known builder with exact tag match
+			isTrusted, err := bldr.IsTrustedBuilder(config.Config{}, "heroku/builder:24")
+			h.AssertNil(t, err)
+			h.AssertTrue(t, isTrusted)
+
+			// Known builder without tag should match any tag
+			isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "paketobuildpacks/builder-jammy-base:latest")
+			h.AssertNil(t, err)
+			h.AssertTrue(t, isTrusted)
+
+			// Unknown builder should not be trusted
+			isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "my/private/builder")
+			h.AssertNil(t, err)
+			h.AssertFalse(t, isTrusted)
+		})
+
 		it("trust image without tag", func() {
 			cfg := config.Config{
 				TrustedBuilders: []config.TrustedBuilder{

@@ -121,7 +121,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 			if err != nil {
 				return err
 			}
-			trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder
+			trustBuilder := isTrusted || flags.TrustBuilder
 			if trustBuilder {
 				logger.Debugf("Builder %s is trusted", style.Symbol(builder))
 				if flags.LifecycleImage != "" {

@@ -215,6 +215,25 @@ func testBuilderInspectCommand(t *testing.T, when spec.G, it spec.S) {
 			})
 		})
 
+		when("image is a known trusted builder", func() {
+			it("passes builder info with trusted true to the writer's `Print` method", func() {
+				builderWriter := newDefaultBuilderWriter()
+
+				command := commands.BuilderInspect(
+					logger,
+					config.Config{},
+					newDefaultBuilderInspector(),
+					newWriterFactory(returnsForWriter(builderWriter)),
+				)
+				command.SetArgs([]string{"heroku/builder:24"})
+
+				err := command.Execute()
+				assert.Nil(err)
+
+				assert.Equal(builderWriter.ReceivedBuilderInfo.Trusted, true)
+			})
+		})
+
 		when("default builder is configured and is the same as specified by the command", func() {
 			it("passes builder info with isDefault true to the writer's `Print` method", func() {
 				cfg.DefaultBuilder = "the/default-builder"

@@ -55,7 +55,7 @@ func addTrustedBuilder(args []string, logger logging.Logger, cfg config.Config,
 	if err != nil {
 		return err
 	}
-	if isTrusted || bldr.IsKnownTrustedBuilder(imageName) {
+	if isTrusted {
 		logger.Infof("Builder %s is already trusted", style.Symbol(imageName))
 		return nil
 	}