You can increase the security even more, by not using the “golang:alpine” designator as base image. Use the image digest instead!
It’s still the same image but you specify it using the image’s digest hash, which cannot be forged. “Anyone” can replace the “golang:alpine” image with what ever they want but they cannot forge the digest hash.
% docker pull golang:alpine && docker inspect golang:alpine | grep -A2 RepoDigests
alpine: Pulling from library/golang
Status: Image is up to date for golang:alpine
Use the digest in bold instead of “golang:alpine”. Now no one can inject code where they are not supposed to.