hipcheck icon indicating copy to clipboard operation
hipcheck copied to clipboard

Published 20 hours ago verified publisher icon mitre

Pin base image version in `Containerfile`

Open alilleybrinker opened this issue 1 year ago • 0 comments

Right now our Containerfile does not pin the base version of the image, which means there's some degree to which we're susceptible to substitution of a wrong or even malicious base image from Docker Hub.

The Docker Hub Best Practices Guide explains more:

Image tags are mutable, meaning a publisher can update a tag to point to a new image. This is useful because it lets publishers update tags to point to newer versions of an image. And as an image consumer, it means you automatically get the new version when you re-build your image.

For example, if you specify FROM alpine:3.19 in your Dockerfile, 3.19 resolves to the latest patch version for 3.19.

# syntax=docker/dockerfile:1
[FROM](https://docs.docker.com/reference/dockerfile/#from) alpine:3.19

At one point in time, the 3.19 tag might point to version 3.19.1 of the image. If you rebuild the image 3 months later, the same tag might point to a different version, such as 3.19.4. This publishing workflow is best practice, and most publishers use this tagging strategy, but it isn't enforced.

The downside with this is that you're not guaranteed to get the same for every build. This could result in breaking changes, and it means you also don't have an audit trail of the exact image versions that you're using.

To fully secure your supply chain integrity, you can pin the image version to a specific digest. By pinning your images to a digest, you're guaranteed to always use the same image version, even if a publisher replaces the tag with a new image. For example, the following Dockerfile pins the Alpine image to the same tag as earlier, 3.19, but this time with a digest reference as well.

# syntax=docker/dockerfile:1
FROM alpine:3.19@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd

With this Dockerfile, even if the publisher updates the 3.19 tag, your builds would still use the pinned image version: 13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd.

When we set this up, we should also set up a CI job to check if we're using the latest version for our base image, as we don't want to ship out-of-date images that are susceptible to known vulnerabilities.

alilleybrinker avatar Sep 19 '24 21:09 alilleybrinker