Remediation for pinning Docker image by hash should include version number too.

[big-andy-coates]

Is your feature request related to a problem? Please describe.

Current remediation when an unpinned Docker image is found is to pin it by hash. For example:

FROM amazoncorretto:11
score is 7: containerImage not pinned by hash
Remediation tip: pin your Docker image by updating amazoncorretto to amazoncorretto@sha256:b1a711069b801a325a30885f08f5067b2b102232379750dda4d25a016afd9a88
Click Remediation section below for further remediation help

However, this has two issues

1. GitHub dependabot will NOT currently update images pinned just by hash. Breaking dependabot means image versions are not updated automagically, which is arguably more of a risk that unpinned versions.
2. Docker image hashs are notoriously hard to decode. Working out what tag a hash is isn't easy. The hash does not align with the digest hash on Docker Hub or as listed by docker images --no-trunc.

Describe the solution you'd like

Docker supports including the version & the hash, e.g.

amazoncorretto:11@sha256:b1a711069b801a325a30885f08f5067b2b102232379750dda4d25a016afd9a88

Benefits:

1. Human readable
2. Pinned to hash
3. Supported by GitHub's dependabot

The scorecard remediation should include the version & the hash.

Describe alternatives you've considered

None.

Additional context

None

[spencerschrock]

dependabot/dependabot-core#4419. Breaking dependabot means image versions are not updated automagically, which is arguably more of a risk that unpinned versions.

Was not aware of this.

Docker image hashs are notoriously hard to decode. Working out what tag a hash is isn't easy. The hash does not align with the digest hash on Docker Hub or as listed by docker images --no-trunc.

Yes. The universal digest is hard to find. You can find in some of the HTTP header attributes of the API calls. Note: the digest has changed since the issue was opened.

2023/01/10 10:57:58 <-- 200 https://index.docker.io/v2/library/amazoncorretto/manifests/11 (107.472787ms)
2023/01/10 10:57:58 HTTP/1.1 200 OK
Content-Length: 547
Content-Type: application/vnd.docker.distribution.manifest.list.v2+json
Date: Tue, 10 Jan 2023 18:57:58 GMT
Docker-Content-Digest: sha256:6962bc64de2b612c2a760299956853762cfcee538b1b6b55706661426546936c
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:6962bc64de2b612c2a760299956853762cfcee538b1b6b55706661426546936c"
Strict-Transport-Security: max-age=31536000

But the website struggles to display the digest:

https://hub.docker.com/layers/library/amazoncorretto/11/images/sha256-6962bc64de2b612c2a760299956853762cfcee538b1b6b55706661426546936c?context=explore

Docker supports including the version & the hash, e.g.

I can take a look in a few days.

[big-andy-coates]

Thanks @spencerschrock. Normally I'd of dived in, but "it's not my language" 😂

[spencerschrock]

Based on the remediation output in your original message, I'm assuming this was SARIF feedback from the scorecard-action. The issue is fixed, but will need to be released both on the scorecard and scorecard-action repos for it to take effect.