Skip to content

Add digest pinning for Docker images #14071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JamieMagee wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add digest pinning for Docker images #14071

JamieMagee wants to merge 1 commit into from
+187 −2

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Feb 2, 2026
edited
Loading

What are you trying to accomplish?

Docker tags are mutable. If someone compromises a registry, they can swap out the image contents without changing the tag. Digests prevent this because they're content-addressed.

Right now, Dependabot only updates digests if you already have one:

# Before
FROM ubuntu:22.04@sha256:abc123...
# After  
FROM ubuntu:24.04@sha256:def456...

But if you start with just a tag, you get just a tag back:

# Before
FROM ubuntu:22.04
# After
FROM ubuntu:24.04

This PR adds an experiment flag (docker_pin_digests) that makes Dependabot add digests to tag-only images. When enabled:

# Before
FROM ubuntu:22.04
# After
FROM ubuntu:24.04@sha256:def456...

Fixes #14065

Anything you want to highlight for special attention from reviewers?

The code already knows how to fetch digests. UpdateChecker#digest_of(tag) does exactly this. The change is small:

  1. updated_requirements now calls digest_of(updated_tag) when pin_digests? returns true (not just when there's an existing digest)
  2. SharedFileUpdater#update_digest_and_tag appends @sha256:... when the old image had no digest but the new one does

I put it behind an experiment flag because it changes behavior for everyone using Docker.

How will you know you've accomplished your goal?

Added tests for:

  • UpdateChecker#updated_requirements returns a digest for tag-only images when the flag is on
  • UpdateChecker#updated_requirements returns no digest when the flag is off (existing behavior)
  • FileUpdater correctly appends @sha256:... to Dockerfiles
  • FileUpdater correctly appends @sha256:... to YAML files (Kubernetes, Helm)

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@JamieMagee JamieMagee requested a review from a team as a code owner February 2, 2026 05:12
@github-actions github-actions bot added the L: docker Docker containers label Feb 2, 2026
@JamieMagee
Add digest pinning for Docker images behind experiment flag
30047b9 
When the docker_pin_digests experiment is enabled, Dependabot will add
sha256 digests to Docker images that only have tags. This prevents tag
mutation attacks where an attacker replaces the image contents without
changing the tag.

Before: FROM ubuntu:22.04 -> FROM ubuntu:24.04
After:  FROM ubuntu:22.04 -> FROM ubuntu:24.04@sha256:abc123...

The existing digest_of() method already fetches digests from registries.
This change uses it for tag-only images when the flag is on.

Fixes #14065
@JamieMagee JamieMagee force-pushed the jamiemagee/docker-digest-pinning branch from 43c8c73 to 30047b9 Compare February 2, 2026 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

L: docker Docker containers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add digest pinning when updating Docker image tags

2 participants

@JamieMagee