Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin base image version in Containerfile #429

Open
alilleybrinker opened this issue Sep 19, 2024 · 0 comments
Open

Pin base image version in Containerfile #429

alilleybrinker opened this issue Sep 19, 2024 · 0 comments
Assignees
@alilleybrinker
Labels
product: release-flow Relates to any of our release processes type: enhancement New feature or request

Comments

@alilleybrinker
Copy link
Collaborator

Right now our Containerfile does not pin the base version of the image, which means there's some degree to which we're susceptible to substitution of a wrong or even malicious base image from Docker Hub.

The Docker Hub Best Practices Guide explains more:

Image tags are mutable, meaning a publisher can update a tag to point to a new image. This is
useful because it lets publishers update tags to point to newer versions of an image. And as an
image consumer, it means you automatically get the new version when you re-build your image.

For example, if you specify FROM alpine:3.19 in your Dockerfile, 3.19 resolves to the latest patch
version for 3.19.

# syntax=docker/dockerfile:1
[FROM](https://docs.docker.com/reference/dockerfile/#from) alpine:3.19

At one point in time, the 3.19 tag might point to version 3.19.1 of the image. If you rebuild the
image 3 months later, the same tag might point to a different version, such as 3.19.4. This
publishing workflow is best practice, and most publishers use this tagging strategy, but it isn't
enforced.

The downside with this is that you're not guaranteed to get the same for every build. This could
result in breaking changes, and it means you also don't have an audit trail of the exact image
versions that you're using.

To fully secure your supply chain integrity, you can pin the image version to a specific digest.
By pinning your images to a digest, you're guaranteed to always use the same image version, even
if a publisher replaces the tag with a new image. For example, the following Dockerfile pins the
Alpine image to the same tag as earlier, 3.19, but this time with a digest reference as well.

# syntax=docker/dockerfile:1
FROM alpine:3.19@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd

With this Dockerfile, even if the publisher updates the 3.19 tag, your builds would still use the
pinned image version: 13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd.

When we set this up, we should also set up a CI job to check if we're using the latest version for our base image, as we don't want to ship out-of-date images that are susceptible to known vulnerabilities.
@alilleybrinker alilleybrinker added type: enhancement New feature or request product: release-flow Relates to any of our release processes labels Sep 19, 2024
@alilleybrinker alilleybrinker self-assigned this Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alilleybrinker alilleybrinker

Labels
product: release-flow Relates to any of our release processes type: enhancement New feature or request
Projects
Hipcheck Dev Roadmap
Status: Todo
Hipcheck Product Roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alilleybrinker