Skip to content

fix: pin Docker base image to SHA256 digest#106

Merged
jmeridth merged 1 commit intomainfrom
fix/pin-docker-image-digest
Mar 10, 2026
Merged

fix: pin Docker base image to SHA256 digest#106
jmeridth merged 1 commit intomainfrom
fix/pin-docker-image-digest

Conversation

@zkoppert
Copy link
Contributor

@zkoppert zkoppert commented Mar 10, 2026

Summary

Resolves code scanning alert #3 — Docker image not pinned to SHA256 digest.

Changes

Pins the Dockerfile FROM alpine to alpine:3.23.3@sha256:25109184c71b... to ensure reproducible and secure builds. Unpinned tags like alpine (implicitly latest) can change without notice, leading to non-deterministic builds and potential supply chain vulnerabilities.

Testing

This is a placeholder Dockerfile that packages the repo files into a container image. The change only pins the base image version — no functional change.

@zkoppert
fix: pin Docker base image to SHA256 digest
7a9a6b2 
Pin alpine base image to alpine:3.23.3 with SHA256 digest to ensure
reproducible and secure builds, resolving code scanning alert #3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert zkoppert self-assigned this Mar 10, 2026
@github-actions github-actions bot added the fix label Mar 10, 2026
@zkoppert zkoppert requested review from Copilot and jmeridth and removed request for Copilot March 10, 2026 19:14
@zkoppert zkoppert marked this pull request as ready for review March 10, 2026 19:20
@jmeridth
Copy link
Collaborator

jmeridth commented Mar 10, 2026

Thank you

Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a GitHub code-scanning alert by making the Docker build reproducible and more supply-chain resilient through pinning the base image to an immutable digest.

Changes:

  • Pin FROM alpine to alpine:3.23.3@sha256:... to avoid floating-tag drift and ensure deterministic base image resolution.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@jmeridth jmeridth merged commit 1a0a6fe into main Mar 10, 2026
12 checks passed
@jmeridth jmeridth deleted the fix/pin-docker-image-digest branch March 10, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmeridth jmeridth jmeridth approved these changes

Assignees

@zkoppert zkoppert

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zkoppert @jmeridth