[ImJasonH]

Incidentally, I've proposed official image annotations[0] that would let an image tell you what its base image is, both by immutable digest and by mutable tag, so you could detect this drift automatically.

Automated tooling could look at these annotations and notify maintainers, or proactively rebuild/rebase when base images change[1].

By having this information on the images themselves, you don't have to deal with as much source repo churn, though you might want that too.

If your app layers have a strong enough contract with your base layers (buildpacks is really good for this!), then you can rebase[2] instead of rebuilding from source.

[0] OCI spec proposal: https://github.com/opencontainers/image-spec/pull/822

[1] Proof of concept in the `crane` tool: https://github.com/google/go-containerregistry/pull/960

[2] https://github.com/google/go-containerregistry/blob/main/cmd...

[slimslenders]

Thanks! And ya, we found the spec! We are in the middle of adding a feature to help devsecops teams notice when org.opencontainers.image.revision and org.opencontainers.image.source labels are missing (those were the first two which we considered mandatory to ensure that downstream admission controllers can validate checks that are indexed by sha). I had not realized that you were proposing further annotations for base images here. That sounds really promising. I think having a standard set of information available in the images is critical.