chore(docker): pin base images by digest (DEP-02)#455
Merged
intendednull merged 1 commit intoApr 28, 2026
Merged
Conversation
Replace mutable tags (`rust:latest`, `rust:slim`, `nginxinc/nginx-unprivileged:alpine`) with digest-pinned references so container builds are reproducible and resistant to upstream tag re-push or registry takeover. Pinned (verified via `docker buildx imagetools inspect` 2026-04-28): - rust:1.95-slim-bookworm @sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 - nginxinc/nginx-unprivileged:1.27-alpine @sha256:65e3e85dbaed8ba248841d9d58a899b6197106c23cb0ff1a132b7bfe0547e4c0 Both builder and runtime stages now use the same pinned rust slim image across relay/replay/storage/web; web runtime uses the pinned nginx unprivileged variant. Each `FROM` carries an inline comment recording the version, pin date, and bump command for traceability. Considered alternative: pinning runtime stages to `debian:bookworm-slim` (closer to true minimal base). Rejected for this PR — out of scope per issue #313, which asks only to pin the existing `FROM` lines without restructuring the multi-stage layout. Switching runtime base belongs to a separate change. SBOM stage explicitly out of scope per the issue body. Refs #313
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Mutable tags bad.
rust:latest/rust:slim/nginxinc/nginx-unprivileged:alpinechange under foot. Build not reproducible. Tag takeover or malicious re-push = silent supply-chain swap. SEC DEP-02 medium.Pin to digest. Build same bytes every time. Re-push of tag cannot poison.
What
Four Dockerfiles. Each
FROMnowtag@sha256:<digest>. Comment above each line records version + pin date + bump command.docker/relay.Dockerfile:2rust:latestrust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36docker/relay.Dockerfile:8rust:slimdocker/replay.Dockerfile:2rust:latestdocker/replay.Dockerfile:8rust:slimdocker/storage.Dockerfile:2rust:latestdocker/storage.Dockerfile:8rust:slimdocker/web.Dockerfile:2rust:latestdocker/web.Dockerfile:10nginxinc/nginx-unprivileged:alpinenginxinc/nginx-unprivileged:1.27-alpine@sha256:65e3e85dbaed8ba248841d9d58a899b6197106c23cb0ff1a132b7bfe0547e4c0Rust 1.95 = current stable (matches
rust-toolchain.tomlchannel =stable, latest stable as of 2026-04). Same image used for builder + runtime as before — no layout change.Verify
Digests fetched live from Docker Hub:
Both pinned refs re-inspected by digest = resolve = real.
cargo fmt --checkclean.cargo check --workspaceclean (Dockerfile-only change, Rust untouched). Daemonless sandbox = no fulldocker build, but registry resolution proves digests valid.Bump in future
Take top-level
Digest:line. Replace@sha256:...and update comment date.Out of scope
debian:bookworm-slim— separate change, not asked.USERdirectives — already present.Refs #313
Generated by Claude Code