Create the smallest and secured golang docker image based on scratch
C Hemidy
1.4K14

You can increase the security even more, by not using the “golang:alpine” designator as base image. Use the image digest instead!

It’s still the same image but you specify it using the image’s digest hash, which cannot be forged. “Anyone” can replace the “golang:alpine” image with what ever they want but they cannot forge the digest hash.

% docker pull golang:alpine && docker inspect golang:alpine | grep -A2 RepoDigests
alpine: Pulling from library/golang
Digest: sha256:11fa60e5e6208b40aa26723fb2dcbf8a3f9e8a79a41e75d3263d2c83c58357e0
Status: Image is up to date for golang:alpine
 “RepoDigests”: [
 “golang@sha256:11fa60e5e6208b40aa26723fb2dcbf8a3f9e8a79a41e75d3263d2c83c58357e0”
 ],

Use the digest in bold instead of “golang:alpine”. Now no one can inject code where they are not supposed to.