In Dockerfiles, it is recommended to use digests to pin versions of base images. This practice ensures that you are always using the exact version of the base image that you intend to use, making your Docker image builds reproducible.
If you’re using tags to specify the version of your base image, you might not get the same image every time. Tags are mutable, meaning they can be updated to point to a different image. This can lead to inconsistencies between builds, making it difficult to reproduce bugs or replicate your environment. Moreover, if an attacker gains control of the repository, they could replace the image with a compromised one. Using a digest to pin the version of your base image can mitigate this risk.
Instead of using tags like FROM <image>:<tag>, you should use the digest like so: FROM
image@sha256:<digest>. The digest can be retrieved from Docker CLI or looked up in the Docker registry.
FROM ubuntu:20.04 ENTRYPOINT ["echo", "Hello, World!"]
FROM ubuntu:20.04@sha256:0b897358ff6624825fb50d20ffb605ab0eaea77ced0adb8c6a4b756513dec6fc ENTRYPOINT ["echo", "Hello, World!"]