base container - perhaps make this more a strategy

[msmeissn]

One topic when you base your work on other containers is the strategy when to update the base container.

• It would be good to always pick up the latest version to get all bug and security fixes, which might however cause undeterministic breakage.
  • still could be handled in your CI/CD pipeline, so fully automated
• pinning as mentioned is good, but then a good forward roll strategy should be defined (e.g. when security scanners report important/critical issues in this base container version? or time based?)
  • would need manual handling to decide when to roll forward

[henrycoggillcnc]

This dichotomy needs to be tackled more fully in our recommendations. The security industry as a whole tends to prefer updating and accepting breakages far more than not updating out of fear and then suffering the consequences of a security breach. A CI/CD pipeline should include enough testing to ensure that any breaking changes are picked up before going live, and we should have enough confidence in this process to definitively recommend updating for security fixes.