Product Docs
-
- Overview
- FAQs
- Verifying Images
- How to Use
- Going Distroless
-
-
-
-
-
- Minimal Runtime Images
- Using the Static Base Image
- Software Versions
- Chainguard Security Advisories & Diff API
- Image Digests
- Up-to-date Images with Digestabot
- Migrating Go Applications to Chainguard
- Reproducible Dockerfiles with Frizbee and Digestabot
- Why our images have Low-to-No CVEs
- Reproducibility and Chainguard Images
- Debugging Distroless Containers
- Debugging with Kubectl and CDebug
- Migrate Node.js Applications to Chainguard
- Migrate Java Applications to Chainguard
- How Images are Tested
- Product Release Lifecycle
- Debugging
-
-
-
-
- chainctl
- chainctl auth
- chainctl auth configure-docker
- chainctl auth login
- chainctl auth logout
- chainctl auth status
- chainctl auth token
- chainctl config
- chainctl config edit
- chainctl config reset
- chainctl config save
- chainctl config set
- chainctl config unset
- chainctl config validate
- chainctl config view
- chainctl events
- chainctl events subscriptions
- chainctl events subscriptions create
- chainctl events subscriptions delete
- chainctl events subscriptions list
- chainctl iam
- chainctl iam account-associations
- chainctl iam account-associations check
- chainctl iam account-associations check aws
- chainctl iam account-associations check gcp
- chainctl iam account-associations describe
- chainctl iam account-associations set
- chainctl iam account-associations set aws
- chainctl iam account-associations set gcp
- chainctl iam account-associations unset
- chainctl iam account-associations unset aws
- chainctl iam account-associations unset gcp
- chainctl iam folders
- chainctl iam folders delete
- chainctl iam folders describe
- chainctl iam folders list
- chainctl iam folders update
- chainctl iam identities
- chainctl iam identities create
- chainctl iam identities create github
- chainctl iam identities create gitlab
- chainctl iam identities delete
- chainctl iam identities describe
- chainctl iam identities list
- chainctl iam identities update
- chainctl iam identity-providers
- chainctl iam identity-providers create
- chainctl iam identity-providers delete
- chainctl iam identity-providers list
- chainctl iam identity-providers update
- chainctl iam invites
- chainctl iam invites create
- chainctl iam invites delete
- chainctl iam invites list
- chainctl iam organizations
- chainctl iam organizations delete
- chainctl iam organizations describe
- chainctl iam organizations list
- chainctl iam role-bindings
- chainctl iam role-bindings create
- chainctl iam role-bindings delete
- chainctl iam role-bindings list
- chainctl iam role-bindings update
- chainctl iam roles
- chainctl iam roles capabilities
- chainctl iam roles capabilities list
- chainctl iam roles create
- chainctl iam roles delete
- chainctl iam roles list
- chainctl iam roles update
- chainctl images
- chainctl images diff
- chainctl images list
- chainctl images repos
- chainctl images repos list
- chainctl update
- chainctl version
Open Source
Education
Keep your Chainguard Images up to date with digestabot
Tools used in this video
Transcript
Today, I’d like to talk about a common question I get asked.
How can you keep images up to date while avoiding breaking changes?
The basic issue is that we’d like to make sure we’re getting the latest security updates and features for our software.
But we really don’t want our applications and infrastructure to break unexpectedly.
So there’s a tension between updating all the time, which gives you the latest code and limits unexpected breakages.
In this example, we have a multi-stage Python build using Chainguard Images which are pinned to Digest.
Now, Digests are content-based hashes of images.
So if you reference an image by Digest, you will always get exactly the same image every time.
Now, this is fantastic for reproducibility.
As I know, if anybody uses this Dockerfile, they will get exactly the same images that I was using.
And this is especially important in Python, where if the version changes, so we go from Python 3.12 to Python 3.13, you might find that various libraries don’t work until they’re updated.
Now, how do you do updates then?
Well, you could manually go in and change, bump this Digest yourself.
But we’ve got a better solution for you that I want to talk about briefly today, and it’s called Digestabot.
Digestabot is a GitHub action that can be set to run on a cron job and will open a PR when it detects there’s a newer version of the image available.
You can then test the image to make sure it works with your application before merging the PR.
So for my example, it would check the Chainguard registry for the current digest of the latest tag and open a PR if it doesn’t match the digest in the file.
We use Digestabot internally at Chainguard, and this pattern nicely balances the tension between keeping images up to date and vulnerability-free with the need to test and verify changes before shipping to production.
So please try it out and let me know if you have any questions.
Last updated: 2024-02-08 15:21