Pin Docker Dependencies by Hash

[irongut]

Feature Request

Docker dependencies should be pinned by hash instead of a mutable tag.

mcr.microsoft.com/dotnet/sdk:6.0 
mcr.microsoft.com/dotnet/runtime:6.0

Unfortunately Microsoft don't publish the hash: https://hub.docker.com/_/microsoft-dotnet-sdk https://hub.docker.com/_/microsoft-dotnet-runtime

Additional Context

Tracking OpenSSF Scorecards Alerts:

• https://github.com/irongut/EditRelease/security/code-scanning/2
• https://github.com/irongut/EditRelease/security/code-scanning/3

Linked To

[irongut]

• Need a way to determine the hashes for the latest .NET images
• How to update those hashes when the images update? Can Dependabot handle it?
• Automated scanning of the finished container in ghcr would also be useful to determine when updates are necessary.

[irongut]

Dependabot can manage Docker dependencies: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem

  # Enable version updates for Docker
  - package-ecosystem: "docker"
    # Look for a `Dockerfile` in the `root` directory
    directory: "/"
    # Check for updates once a week
    schedule:
      interval: "weekly"

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days.

[github-actions[bot]]

This issue was closed because it has been stale for 30 days with no activity.