Switch to using digest sha256 value for promotion for security #232
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should refer to images on production using a naming like this rather than
rather than the current:
The reason is that when reverting a hacked image, we're sure what image we're reverting to...
CC: @borela @dzirtusss
Details on the type of hack:
The type of attacker you're referring to is typically known as a "supply chain attacker" or specifically a "container image poisoning attacker." In this scenario, the attacker infiltrates the container supply chain by replacing legitimate Docker images with malicious ones while maintaining the same tags. This is a form of image poisoning or tag squatting where the goal is to infect production environments with malware by compromising the image repository or distribution process.
Ensuring image integrity through measures like image signing (e.g., Docker Content Trust) or using private registries can help mitigate these risks.
The text was updated successfully, but these errors were encountered: