Skip to content

fix: pin Docker base images to SHA256 digests#2040

Merged
SamMorrowDrums merged 1 commit intomainfrom
fix/pin-docker-image-shas
Feb 18, 2026
Merged

fix: pin Docker base images to SHA256 digests#2040
SamMorrowDrums merged 1 commit intomainfrom
fix/pin-docker-image-shas

Conversation

@SamMorrowDrums
Copy link
Collaborator

@SamMorrowDrums SamMorrowDrums commented Feb 18, 2026
edited
Loading

Summary

Pin all three Dockerfile base images to their SHA256 digests to resolve code scanning alerts #14 and #15 for unpinned Docker images.

Changes

  • node:20-alpine → pinned to digest (alert #14)
  • golang:1.25.7-alpine → pinned to digest (alert #15)
  • gcr.io/distroless/base-debian12 → pinned to digest (proactive)

Dependabot docker ecosystem is already configured in .github/dependabot.yml and will automatically create PRs to update these digests.

@SamMorrowDrums @Copilot
fix: pin Docker base images to SHA256 digests
6c45f84 
Pin all three Dockerfile base images to their SHA256 digests to resolve
code scanning alerts for unpinned Docker images. Dependabot docker
ecosystem is already configured and will keep these digests up to date.

- node:20-alpine (alert #14)
- golang:1.25.7-alpine (alert #15)
- gcr.io/distroless/base-debian12 (proactive)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 18, 2026 15:40
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner February 18, 2026 15:40
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins Docker base images to their SHA256 digests to address security scanning alerts and improve supply chain security. This prevents image tags from being silently updated and ensures deterministic builds.

Changes:

  • Pin node:20-alpine, golang:1.25.7-alpine, and gcr.io/distroless/base-debian12 base images to their SHA256 digests
  • Resolves code scanning alerts #14 and #15

@SamMorrowDrums SamMorrowDrums merged commit 5e1c94b into main Feb 18, 2026
19 of 21 checks passed
@SamMorrowDrums SamMorrowDrums deleted the fix/pin-docker-image-shas branch February 18, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tommaso-moro tommaso-moro tommaso-moro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SamMorrowDrums @tommaso-moro

Comments