Keep your Chainguard Images up to date with digestabot
At Chainguard, we rebuild our registry of 400 minimal, hardened Images every day to make sure they don’t accumulate vulnerabilities. If you use our free Chainguard Developer Images and want to benefit from these continuous security patches and fast updates to upstream releases, it’s important that you keep your images up to date.
As we know firsthand, this can be tedious work. To make it easier for all public users to keep their Chainguard Images fresh, we recently created digestabot, a free GitHub Action that you can begin to incorporate into your workloads today.
Digestabot was first developed as an internal tool at Chainguard for automatically updating internal projects on a regular basis. At Chainguard, we use digestabot in all of our internal and public projects for images.
When digestabot detects that one of our Images is out of date, it opens a pull request (PR), which is then subject to our standard continuous integration tests. If it passes the tests, we merge the PR and the Image is rebuilt and redeployed. With minimal headache, all of our projects stay fresh and secure.
Now, we are sharing the magic of digestabot as a GitHub Action so that users of our Developer Images can benefit from this hassle-free approach to keep their Images and other container assets current.
Digestabot is designed specifically for container environments, and can be used with Dockerfiles, Kubernetes manifests, Helm templates, Makefiles, .sh scripts, and more by looking for digest-like strings in a text file. It also offers a number of other useful features, such as enabling users to specify when and how the Action should run, and the option of authenticating with ephemeral OIDC tokens to ensure a high level of security.
Get started with digestabot
Digestabot updates Images that use the tag+digest pattern. If the upstream Image’s tag stays the same but the digest changes, digestabot will open a PR to update your local image. If both the tag and digest change, digestabot will not open a PR to update your local Image.
You’ll be using Chainguard Images with digestabot that follow this format:
:@sha256:A real life example of this would be the following:
cgr.dev/chainguard/nginx:latest@sha256:81bed54c9e507503766c0f8f030f869705dae486f37c2a003bb5b12bcfcc713fHere, digestabot will look up the digest of the tag on the registry and, if it doesn't match, open a PR to update it. This can be used to keep tags up to date while maintaining a reproducible build and providing an opportunity to test updates. Digestabot does not bump versions. For example, it will not bump a Chainguard Image from v1 to v2 when updating. Instead, it updates the digest for a specific tag version. All Chainguard Developer Images are rebuilt at least once a day and if digestabot detects a new Image, it will generate a new digest for a specific tag.
Let us know what you think
Ready to experience the benefits of always having the latest Chainguard Images in your projects? Head over to GitHub to explore the digestabot Action and start streamlining your Chainguard Image update process today! We are always looking for ways to improve the user experience for our Images and welcome any feedback you may have.
If you want to learn more about what’s in our Chainguard Images inventory or enterprise-ready capabilities, visit the Chainguard Images Directory or contact our team to get started.
Share this article
Related articles
- Engineering
Why building from source matters
Chainguard SVP of Engineering Dustin Kirkland discusses why Chainguard builds every package, library, and image directly from source and why the approach works.
Dustin Kirkland, SVP of Engineering
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company
- Engineering
This Shit Is Hard: Hardening glibc
Chainguard uses compiler flags to be proactive in the security of our products. See how our compiler flag usage helped us catch a complex bug in glibc.
Sergio Durigan Junior, Senior Software Engineer