Hash Pin docker images #62472
Hash Pin docker images #62472
Conversation
|
Pinning is a pain when working on these containers. I'm fine with the change as long as you update this PR to alleviate the trouble for developers:
|
|
Hi, I can add the dependabot config file to automatically update the digests on the dockerfiles (which is in fact a security practice too), although dependabot has no feature yet to automatically add hash when there is not one. The renovatebot, although being a third party tool (not GitHub owned), it has an option to pin digests automatically to the given ecosystem (docker images). It would need to be installed on the repo, but only with read permissions, because we can use the forking renovate. Would you be interested on the renovatebot instead (I can submit a config file for it) or the dependabot only updating the hashes and versions periodically would be enough to alleviate the trouble for developers? |
|
An additional feature of renovatebot would be the manual update -- when you select a image and ask for an update without having to wait for the next run of renovatebot job |
|
Hi @angerson Any update on this PR? Please. Thank you! |
1 similar comment
|
Hi @angerson Any update on this PR? Please. Thank you! |
|
I've suggested the configuration file for dependabot to show how it would like to update both the actions and the dockerfiles. Dependabot will automatically update the hashes and comments, but it is not able to automatically add a sha when there is none. |
|
Hi @angerson Can you please review this PR ? Thank you! |
|
Hi @joycebrum Can you please resolve conflicts? Thank you! |
gbaned
added
stat:awaiting response
|
Done! |
google-ml-butler
bot
removed
the
stat:awaiting response
google-ml-butler
bot
added
kokoro:force-run
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
…n_1715346713 [StepSecurity] Apply security best practices
|
Hi @MichaelHudgins Can you please review this PR ? Thank you! |
Also related to #62471, would you consider hash pin the docker images?
The security benefit of doing so is that it mitigates the risk of typosquatting attacks since the images are public. If there is a need for them to be updated regularly, I can also submit a .github/dependabot file to update the docker images regularly (weekly or monthly for example).
Besides, AFAIUC, the dockerfiles are used for build and tests, which lead to another benefit of hash pinning: reliability and stability.
Let me know your thoughts about i.
Thanks!