Slide 19
Slide 19 text
Dockerfail #6: tags are mutable, changes get lost
➔ Signs of Dockerfail
◆ Using latest, prod or “stable” tag to deploy in production.
◆ not having a 1-1 relation from code to docker images
● (“what git SHA1 is running in production?”)
➔ Better Dockerfile
◆ Collect docker image content, via docker sbom new CLI command (experimental)
◆ Use a git repository as an auditing space for Software Bill of Materials
◆ Multi tag and label each docker image (git SHA1, build number, timestamp, etc.)
● Bonus: some Docker registries block tag reuse,, enable it if you can!