Problem
Currently, --ignore-images accepts a comma-separated list of patterns and uses substring matching (strings.Contains). This works well for simple cases like ignoring scratch, but becomes difficult to manage in production environments where:
- You want to ignore all images from a specific registry (e.g.,
ghcr.io/myorg/*)
- You want to exclude specific repositories but still check others from the same registry
- The list of ignored images grows large and is hard to maintain as a CLI flag
For example, if I want to ignore all internal images under 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/myorg/ but still check public images, there's no clean way to express this with the current substring matching.
Proposal
One or both of the following approaches:
Option A: Prefix / glob pattern support in --ignore-images
Support prefix or glob-style patterns in the existing --ignore-images flag:
# Prefix match (trailing *)
dockerfile-pin check --ignore-images "ghcr.io/myorg/*"
# Exact match
dockerfile-pin check --ignore-images "myimage:latest"
Option B: Config file support
Allow specifying ignore rules in a config file (e.g., .dockerfile-pin.json or .dockerfile-pin.yaml). Support .gitignore-style negation patterns (!) for fine-grained control:
# .dockerfile-pin.yaml
ignore-images:
- "ghcr.io/myorg/*" # Ignore all images under myorg
- "!ghcr.io/myorg/public-*" # But still check images prefixed with public-
- "123456789.dkr.ecr.*.amazonaws.com/internal/*"
- "scratch"
In this example, images under ghcr.io/myorg/ are ignored by default, but ghcr.io/myorg/public-app would still be checked because the ! negation pattern overrides the earlier match.
Benefits of a config file:
- Can be committed alongside the project
- Manage complex ignore rules without long CLI flags
- Share configurations across teams
! negation patterns enable flexible workflows like "ignore by default, but check specific images"
Use Case
In production environments with many internal/private container images managed separately, we need to selectively ignore certain registries or image prefixes while still checking others. The current flat substring matching doesn't provide enough granularity for this.
Problem
Currently,
--ignore-imagesaccepts a comma-separated list of patterns and uses substring matching (strings.Contains). This works well for simple cases like ignoringscratch, but becomes difficult to manage in production environments where:ghcr.io/myorg/*)For example, if I want to ignore all internal images under
123456789.dkr.ecr.ap-northeast-1.amazonaws.com/myorg/but still check public images, there's no clean way to express this with the current substring matching.Proposal
One or both of the following approaches:
Option A: Prefix / glob pattern support in
--ignore-imagesSupport prefix or glob-style patterns in the existing
--ignore-imagesflag:Option B: Config file support
Allow specifying ignore rules in a config file (e.g.,
.dockerfile-pin.jsonor.dockerfile-pin.yaml). Support.gitignore-style negation patterns (!) for fine-grained control:In this example, images under
ghcr.io/myorg/are ignored by default, butghcr.io/myorg/public-appwould still be checked because the!negation pattern overrides the earlier match.Benefits of a config file:
!negation patterns enable flexible workflows like "ignore by default, but check specific images"Use Case
In production environments with many internal/private container images managed separately, we need to selectively ignore certain registries or image prefixes while still checking others. The current flat substring matching doesn't provide enough granularity for this.