73 lines
2.3 KiB
Plaintext
73 lines
2.3 KiB
Plaintext
A container image digest uniquely and immutably identifies a container image.
|
|
A tag, on the other hand, is a mutable reference to a container image.
|
|
|
|
This tag can be updated to point to another version of the container at any point in time. +
|
|
In general, the use of image digests instead of tags is intended to keep
|
|
determinism stable within a system or infrastructure for reliability reasons.
|
|
|
|
The problem is that pulling such an image prevents the resulting container from
|
|
being updated or patched in order to remove vulnerabilities or significant bugs.
|
|
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* You expect to receive security updates of the base image.
|
|
|
|
There is a risk if you answer yes to this question.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Containers should get the latest security updates. If there is a need for determinism,
|
|
the solution is to find tags that are not as prone to change as `latest` or
|
|
https://github.com/docker-library/faq#whats-the-difference-between-shared-and-simple-tags[shared tags].
|
|
|
|
To do so, favor a more precise tag that uses https://semver.org/[semantic versioning] and target a major version, for example.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,docker]
|
|
----
|
|
FROM mongo@sha256:8eb8f46e22f5ccf1feb7f0831d02032b187781b178cb971cd1222556a6cee9d1
|
|
|
|
RUN echo ls
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
Here, mongo:6.0 is better than using a digest, and better than using a more precise version, such as 6.0.4,
|
|
because it would prevent 6.0.5 security updates:
|
|
|
|
[source,docker]
|
|
----
|
|
FROM mongo:6.0
|
|
|
|
RUN echo ls
|
|
----
|
|
|
|
== See
|
|
|
|
* https://github.com/safe-waters/docker-lock[Docker-Lock]
|
|
* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-image-digests-in-kubernetes-manifests#recommendations[Skaffold, kpt, digester, kustomize, gke-deploy, ko, and Bazel]
|
|
* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-images[GKE, Using Container Image Digests]
|
|
* https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/builds_and_image_streams.html#image-streams[OpenShift, Builds and Image Streams]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Setting a digest will prevent receiving updates of the base image. Make sure it is safe here.
|
|
|
|
=== Highlighting
|
|
|
|
* Presence of a digest: The digest
|
|
|
|
endif::env-github,rspecator-view[]
|
|
|