Our great sponsors
-
docker-bench-security
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
I use Hadolint[1] as a CI job to check if my Dockerfiles follow the good "rules". But there is one rule that annoys me the most and which is also present in this article, is the pinned OS package version rule[2]. While I understand its interest, I struggle to handle this problem.
When I build new images and it failed because the pinned version is not available anymore, I have to dig into Debian or Ubuntu packages websites to find the new ones as they don't keep the old packages online.
I know I could ask Hadolint to ignore this rule but I don't like this and I think it's important to stick to a certain version of a package to avoid problems. I'm just trying to find any tip that could make me use pinned version and avoid this search every time. Does apt-get install allows wildcard for example?
1: https://github.com/hadolint/hadolint
2: https://github.com/hadolint/hadolint/wiki/DL3008
CIS Docker benchmark is a very extensive rule set for assessing docker host, daemon, images and containers from the security perspective.
It comes with a very handy tool as well https://github.com/docker/docker-bench-security
You could use renovate [1] to watch your repository and open pr for you when there is a new version. I don't know if it supports watching debian repositories out of the box, but that's probably doable with some tweaking
[1] https://github.com/renovatebot/renovate