After tj-actions/changed-files provide chain assault, I’ve been attempting to tighten up my docker file safety, by including within the docker picture hash
FROM golang:1.24.2@sha256:991aa6a6e4431f2f01e869a812934bd60fbc87fb939e4a1ea54b8494ab9d2fc6 AS construct
dependabot is configured to replace docker information, so later it routinely up to date to
FROM golang:1.24.2@sha256:1ecc479bc712a6bdb56df3e346e33edcc141f469f82840bab9f4bc2bc41bf91d AS construct
The query what’s stopping a future provide chain assault from releasing a future corrupted docker picture?
One which dependabot would dutifully replace to inside my repo.
I’m searching for a approach to know that the change in hash for golang:1.24.2 was anticipated/licensed/legitimate
Thanks
