For the following Dockerfile line, SonarQube for IDE (in IntelliJ IDEA, connected to SonarCloud) reports an issue:
FROM dhi.io/nginx:1.31.1-alpine3.23@sha256:902e3e97f6e505b45cb31e77a83c4ee00247ba343081c2b837de23e8a654124a
The issue is docker:S8431 saying Specify either version tag or digest for image.
I understand that this format might be confusing to developers, but it’s compatible with Dependabot.
As you read in the issue description:
For even more control and traceability, the digest can be used instead of the version tag. This will pin the image to a specific immutable version, ensuring reproducible builds, but will also prevent automatic security updates that would come from using a version tag.
And this is exactly my problem. Previously, Dependabot opened PRs with this content:
Bumps dbgate/dbgate from
8243b88to331726a.
When I switched to the format that includes the version number too, Dependabot opened PRs with this content:
Bumps dbgate/dbgate from 7.1.13-alpine to 7.2.0-alpine.
And the change looked like this (please don’t mind the non-matching digest, I’ve mixed up PR rebases):
- image: dbgate/dbgate:7.1.13-alpine@sha256:8243b8862384d5b19d589212f8d811755b476fcd815b12a49eee30596d379e3e
+ image: dbgate/dbgate:7.2.0-alpine@sha256:28707700244679bd9d46e4e73a58b13c57afea1b2da2efc39a9369ee15427991
So using both the version tag and the digest is beneficial for Dependabot for the following reasons:
- More readable PRs.
- Support for upgrading to the right version (at least I hope that
-alpinewould be respected, honestly, I haven’t confirmed yet). - Support for limiting upgrades to minor/patch versions if needed (#1971).
=> So when both the version tag and the digest are present, the version tag should document the version used.
A similar approach also works for a PR that upgrades GitHub actions. For example, a PR titled build(deps): bump actions/setup-java from 5.2.0 to 5.3.0 would have the following diff:
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+ uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
This is also very helpful. So the digest is for security, and the tag is for human readability (and other Dependabot benefits).
You could ask what happens if there is a mismatch between the digest and the version tag. Well, maybe we need a linter tool for it. At the moment, I haven’t found any yet…