Here’s another vulnerability. Not sure if this is something easy to program.
- Docker dependencies are not pinned to an exact digest on Docker file.
- Ensure the specified container image has a digest on docker-compose.yml
The issue described, “Docker dependencies are not pinned to an exact digest,” refers to the practice of not specifying the exact version (or digest) of the Docker images in your Dockerfile. This can introduce variability and potential security vulnerabilities in your Docker environment.
What is Pinning Docker Dependencies?
Pinning Docker dependencies means specifying not just the version of an image but using the specific digest of the image. A digest is a SHA256 hash of the image that uniquely identifies a version of an image, ensuring that every time the Docker image is pulled, you get the exact same configuration and contents, regardless of any updates or changes to the image tag.
Why is it important to pin dependencies?
- Consistency: Using an exact digest guarantees that your Docker containers will run the same version of the software every time, across different environments and deployments. This eliminates the “it works on my machine” problem.
- Security: It ensures that the container will not accidentally receive updates that could introduce breaking changes or security vulnerabilities. When dependencies are not pinned, you might pull a compromised version if the tag is updated on the registry.
- Traceability: By pinning the dependencies, you can easily trace back to the exact binary used in the Docker image, which helps in debugging and investigating issues.
How to Fix This?
To fix this issue, you should modify your Dockerfile to use images pinned by digest instead of tags. Here’s how you can do it:
-
Find the Digest: You can find the digest of an image by pulling it and then using
docker inspect:
bash
Copy code
docker pull imageName:tag
docker inspect imageName:tag
This will output JSON data where you can find the digest in the RepoDigests section.
2. Use the Digest in Dockerfile: Instead of using:
Dockerfile
Copy code
FROM imageName:tag
Use:
Dockerfile
Copy code
FROM imageName@sha256:<digest>
By implementing these changes, you’ll greatly increase the reliability and security of your Docker containers.