Pin docker image versions to SHA digests in Dockerfile #291
Conversation
| WORKDIR /opt/app | ||
| COPY Gemfile Gemfile.lock ./ | ||
| COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin | ||
| RUN rsync -a /usr/local/nodebin /usr/local/bin | ||
| RUN bundle install | ||
|
|
||
| FROM ruby:3.2-slim | ||
| FROM ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0 |
There was a problem hiding this comment.
docker pull ruby:3.2-slim
3.2-slim: Pulling from library/ruby
Digest: sha256:c09c3ea897b403f8fdd43957c3d3777aa2c0b991f4f4194b26cbfd9eb62fca33
Status: Image is up to date for ruby:3.2-slim
docker.io/library/ruby:3.2-slim
There was a problem hiding this comment.
I've checked all 3.2-slims (3.2.3-slim, 3.2.2-slim, 3.2.1-slim, 3.2.0-slim) - none of them are the sha in the pull request. - what is this shadigest from?
There was a problem hiding this comment.
@tabroughton I used this command docker inspect --format='{{index .RepoDigests 0}}' ruby:3.2-slim. This is the output I have for ruby:3.2-slim. ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0.
This is the stackoverflow link to the command.
There was a problem hiding this comment.
Tom, I think the sha Hauwa has used is from a ruby:3.2-slim image that was built on 7 Feb 2024 and updated on 13 Feb 2024. This can happen when eg. a package in the underlying OS is updated. You can see from the records in repo-info that the sha was current for the package on 7 Feb
| WORKDIR /opt/app | ||
| COPY package-lock.json ./ | ||
| COPY package.json ./ | ||
| RUN npm install | ||
|
|
||
| FROM ruby:3.2 as rubybuilder | ||
| FROM ruby@sha256:ddc5729409d1d3222e74a5edb62d142ebd5fa47e9a98fc2905d66056eec6ae3b as rubybuilder |
There was a problem hiding this comment.
this sha is also not correct... how have you been getting the shadigests?
|
closing as we won't use this now as agreed wtih @HauwaHakimi |
https://gds-cyber-and-engineering.atlassian.net/jira/software/c/projects/ENG/boards/5?selectedIssue=ENG-125