A CI pipeline pulls a base container image using the mutable `latest` tag. A known vulnerability was patched in a newer image build but the pipeline continues producing vulnerable containers because the local cache returns the old digest. Which remediation should the platform team recommend?

Question

Accepted Answer

B. Pin base images by digest in Dockerfiles and automate digest updates via a dependency bot workflow. Pinning base images by digest ensures a deterministic, immutable image reference that only changes when explicitly updated. Combining this with automated tooling such as Dependabot or Renovate that proposes digest updates when new images are published ensures vulnerability fixes are applied in a controlled, auditable way. Disabling caching does not guarantee the new image is pulled if the tag still resolves to the old cached digest.

A CI pipeline pulls a base container image using the mutable `latest` tag. A known vulnerability was patched in a newer image build but the pipeline continues producing vulnerable containers because the local cache returns the old digest. Which remediation should the platform team recommend?

Related Questions

Discussion

A CI pipeline pulls a base container image using the mutable latest tag. A known vulnerability was patched in a newer image build but the pipeline continues producing vulnerable containers because the local cache returns the old digest. Which remediation should the platform team recommend?

Related Questions

Discussion

A CI pipeline pulls a base container image using the mutable `latest` tag. A known vulnerability was patched in a newer image build but the pipeline continues producing vulnerable containers because the local cache returns the old digest. Which remediation should the platform team recommend?