[michaelperel]

Shameless Plug: I wrote a cli-plugin for docker, docker-lock, to solve the mutable tag problem without having to manually specify hashes - https://github.com/safe-waters/docker-lock

It creates a Lockfile (think package-lock.json) that tracks the image digests (sha256 hashes) of your base images, so you will always know exactly which images you are using even if you only specify tags. This way, you can know if a base image has changed, yet still receive important security updates that you would not receive if you hardcode the digest. It supports any registry, so is useful even if you are not using Dockerhub. It also works with Dockerfiles, docker-compose files, and Kubernetes manifests.

I hope anyone dealing with this issue finds it helpful :)

[jonjonsonjr]

Nice! I was thinking about building something similar -- just filed an issue for how you might extend this to work for migrating registries.

Pleasantly surprised to come across this PR: https://github.com/safe-waters/docker-lock/pull/73

This is a perfect application of crane :)

[slimslenders]

Just took a look. Very cool! The generate/verify/rewrite phases are very familiar :). I guess we sort of moved rewrite/verify into a PullRequest/CheckRun. Would it make sense to run verify and rewrite as a pre-commit hook too?