Lock upstream Docker images to specific revisions
tldr: lock images to sha digests instead e.g. ubuntu@sha256:{{SHA…}}
It’s pretty common to start off a Dockerfile by inheriting an official image e.g. ubuntu, debian, alpine, etc.
FROM ubuntu:latest
RUN apt-get update && apt-get install -y ruby
RUN ...The problem with referring to Docker images like ubuntu:latest is that these image tags can be overwritten which sometimes results in pulling unexpected and potentially insecure or breaking changes from upstream!
One common attempt to solve this problem is to refer to more specific tags like ubuntu:20.04 but unfortunately all Docker image tags can be changed and overwritten just like the latest tag.
This is pretty similar to how a Git branch can be force pushed and replaced with a completely different commit. Git allows us to solve this kind of problem by explicitly referring to a commit sha instead of the tip of a branch.
Luckily this problem can be solved the same way in a Dockerfile by locking images to a specific Docker image layer using its sha256 digest:
FROM ubuntu@sha256:3f119dc0737f57f704ebecac8a6d8477b0f6ca1ca0332c7ee1395ed2c6a82be7
RUN apt-get update && apt-get install -y ruby
RUN ...Now the upstream ubuntu dependency is locked to a specific image layer and will not change until we intentionally change the sha. These sha digests can be committed and pushed thru the same review process as everything else!
The sha256 digest for a Docker image can be found by running (with jq):
docker image inspect {{IMAGE_ID}} | jq -r ".[0].RepoDigests[0]"For example:
docker image inspect 735f80812f90 | jq -r ".[0].RepoDigests[0]"Referencing upstream Docker images by their sha256 digests may improve the reliability and consistency of containers across environments but remember to routinely update for important changes like security patches or bug fixes!
Our LendingHome team is still growing! Check out our careers page to learn more. We look forward to hearing from you!
