To keep container images up-to-date / secure and compliant, we should not use apt update or any other package manager update mechanism to keep the base os / base image up-to-date.
Instead we need to make sure that we use a secure upstream image in best case one which points to the version the project needs + regular update.
Like instead of alpine 3.3.3 use 3.3
AC:
Create new TRG for not using patch version and highlight security team for feedback / suggestion
Highlight the issue that apt update might pull in a new version of a library which is no longer under the right ip/license
carslen
commented
8 months ago
We need a new TRG which describes the following:
To keep container images up-to-date / secure and compliant, we should not use apt update or any other package manager update mechanism to keep the base os / base image up-to-date.
Instead we need to make sure that we use a secure upstream image in best case one which points to the version the project needs + regular update.
Like instead of alpine 3.3.3 use 3.3
AC: