A container image digest uniquely and immutably identifies a container image. A tag, on the other hand, is a mutable reference to a container
This tag can be updated to point to another version of the container at any point in time.
In general, the use of image digests instead of tags
is intended to keep determinism stable within a system or infrastructure for reliability reasons.
The problem is that pulling such an image prevents the resulting container from being updated or patched in order to remove vulnerabilities or
Ask Yourself Whether
- You expect to receive security updates of the base image.
There is a risk if you answer yes to this question.
Recommended Secure Coding Practices
Containers should get the latest security updates. If there is a need for determinism, the solution is to find tags that are not as prone to change
latest or shared tags.
To do so, favor a more precise tag that uses semantic versioning and target a major version, for example.
Sensitive Code Example
RUN echo ls
Here, mongo:6.0 is better than using a digest, and better than using a more precise version, such as 6.0.4, because it would prevent 6.0.5 security
RUN echo ls