Shameless Plug: I wrote a cli-plugin for docker, docker-lock, to solve the mutable tag problem without having to manually specify hashes - https://github.com/safe-waters/docker-lock
It creates a Lockfile (think package-lock.json) that tracks the image digests (sha256 hashes) of your base images, so you will always know exactly which images you are using even if you only specify tags. This way, you can know if a base image has changed, yet still receive important security updates that you would not receive if you hardcode the digest. It supports any registry, so is useful even if you are not using Dockerhub. It also works with Dockerfiles, docker-compose files, and Kubernetes manifests.
I hope anyone dealing with this issue finds it helpful :)
For anyone interested in learning how to use Open Telemetry for distributed tracing in go, I recently made a demo app to share with some friends: https://github.com/michaelperel/otel-demo . To run, clone it & docker-compose up
Really cool! I have been using this to play old mario games and switch off with my friends like when we were kids. Enjoying the nostalgia (and making mario swim has been pretty funny)
Shameless Plug: I wrote a cli-plugin for docker, docker-lock, that will track the image digests (SHA's) of your images in a separate file that you can check in to git, so you will always know exactly which image you are using (even if you are using the latest tag). It can even rewrite all your Dockerfiles and docker-compose files to use those digests.
It creates a Lockfile (think package-lock.json) that tracks the image digests (sha256 hashes) of your base images, so you will always know exactly which images you are using even if you only specify tags. This way, you can know if a base image has changed, yet still receive important security updates that you would not receive if you hardcode the digest. It supports any registry, so is useful even if you are not using Dockerhub. It also works with Dockerfiles, docker-compose files, and Kubernetes manifests.
I hope anyone dealing with this issue finds it helpful :)