diff --git a/Makefile b/Makefile
index 00237e0fc7..22b700cd89 100644
--- a/Makefile
+++ b/Makefile
@@ -60,7 +60,7 @@ test-docker-py: build
 	$(DOCKER_RUN_DOCKER) hack/make.sh binary test-docker-py
 
 validate: build
-	$(DOCKER_RUN_DOCKER) hack/make.sh validate-dco validate-gofmt validate-test validate-toml validate-vet
+	$(DOCKER_RUN_DOCKER) hack/make.sh validate-dco validate-gofmt validate-pkg validate-test validate-toml validate-vet
 
 shell: build
 	$(DOCKER_RUN_DOCKER) bash
diff --git a/hack/make.sh b/hack/make.sh
index d719f3d830..2d6c7e5160 100755
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -46,6 +46,7 @@ echo
 DEFAULT_BUNDLES=(
 	validate-dco
 	validate-gofmt
+	validate-pkg
 	validate-test
 	validate-toml
 	validate-vet
diff --git a/hack/make/validate-pkg b/hack/make/validate-pkg
new file mode 100644
index 0000000000..d5843417e0
--- /dev/null
+++ b/hack/make/validate-pkg
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+
+source "${MAKEDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'pkg/*.go' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	IFS=$'\n'
+	badImports=( $(go list -e -f '{{ join .Deps "\n" }}' "$f" | sort -u | grep -vE '^github.com/docker/docker/pkg/' | grep -E '^github.com/docker/docker' || true) )
+	unset IFS
+
+	for import in "${badImports[@]}"; do
+		badFiles+=( "$f imports $import" )
+	done
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations! "./pkg/..." is safely isolated from internal code.'
+else
+	{
+		echo 'These files import internal code: (either directly or indirectly)'
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+	} >&2
+	false
+fi