New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hash Pin docker images #62472
base: master
Are you sure you want to change the base?
Hash Pin docker images #62472
Conversation
Pinning is a pain when working on these containers. I'm fine with the change as long as you update this PR to alleviate the trouble for developers:
|
Hi, I can add the dependabot config file to automatically update the digests on the dockerfiles (which is in fact a security practice too), although dependabot has no feature yet to automatically add hash when there is not one. The renovatebot, although being a third party tool (not GitHub owned), it has an option to pin digests automatically to the given ecosystem (docker images). It would need to be installed on the repo, but only with read permissions, because we can use the forking renovate. Would you be interested on the renovatebot instead (I can submit a config file for it) or the dependabot only updating the hashes and versions periodically would be enough to alleviate the trouble for developers? |
An additional feature of renovatebot would be the manual update -- when you select a image and ask for an update without having to wait for the next run of renovatebot job |
Hi @angerson Any update on this PR? Please. Thank you! |
1 similar comment
Hi @angerson Any update on this PR? Please. Thank you! |
I've suggested the configuration file for dependabot to show how it would like to update both the actions and the dockerfiles. Dependabot will automatically update the hashes and comments, but it is not able to automatically add a sha when there is none. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM to me, but leave approval to Austin.
Hi @angerson Can you please review this PR ? Thank you! |
Hi @joycebrum Can you please resolve conflicts? Thank you! |
Done! |
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
…n_1715346713 [StepSecurity] Apply security best practices
Hi @MichaelHudgins Can you please review this PR ? Thank you! |
Also related to #62471, would you consider hash pin the docker images?
The security benefit of doing so is that it mitigates the risk of typosquatting attacks since the images are public. If there is a need for them to be updated regularly, I can also submit a .github/dependabot file to update the docker images regularly (weekly or monthly for example).
Besides, AFAIUC, the dockerfiles are used for build and tests, which lead to another benefit of hash pinning: reliability and stability.
Let me know your thoughts about i.
Thanks!