Keep your Chainguard Images up to date with digestabot
At Chainguard, we rebuild our registry of 400 minimal, hardened Images every day to make sure they don’t accumulate vulnerabilities. If you use our free Chainguard Developer Images and want to benefit from these continuous security patches and fast updates to upstream releases, it’s important that you keep your images up to date.
As we know firsthand, this can be tedious work. To make it easier for all public users to keep their Chainguard Images fresh, we recently created digestabot, a free GitHub Action that you can begin to incorporate into your workloads today.
Digestabot was first developed as an internal tool at Chainguard for automatically updating internal projects on a regular basis. At Chainguard, we use digestabot in all of our internal and public projects for images.
When digestabot detects that one of our Images is out of date, it opens a pull request (PR), which is then subject to our standard continuous integration tests. If it passes the tests, we merge the PR and the Image is rebuilt and redeployed. With minimal headache, all of our projects stay fresh and secure.
Now, we are sharing the magic of digestabot as a GitHub Action so that users of our Developer Images can benefit from this hassle-free approach to keep their Images and other container assets current.
Digestabot is designed specifically for container environments, and can be used with Dockerfiles, Kubernetes manifests, Helm templates, Makefiles, .sh scripts, and more by looking for digest-like strings in a text file. It also offers a number of other useful features, such as enabling users to specify when and how the Action should run, and the option of authenticating with ephemeral OIDC tokens to ensure a high level of security.
Get started with digestabot
Digestabot updates Images that use the tag+digest pattern. If the upstream Image’s tag stays the same but the digest changes, digestabot will open a PR to update your local image. If both the tag and digest change, digestabot will not open a PR to update your local Image.
You’ll be using Chainguard Images with digestabot that follow this format:
:@sha256:
A real life example of this would be the following:
cgr.dev/chainguard/nginx:latest@sha256:81bed54c9e507503766c0f8f030f869705dae486f37c2a003bb5b12bcfcc713f
Here, digestabot will look up the digest of the tag on the registry and, if it doesn't match, open a PR to update it. This can be used to keep tags up to date while maintaining a reproducible build and providing an opportunity to test updates. Digestabot does not bump versions. For example, it will not bump a Chainguard Image from v1 to v2 when updating. Instead, it updates the digest for a specific tag version. All Chainguard Developer Images are rebuilt at least once a day and if digestabot detects a new Image, it will generate a new digest for a specific tag.
Let us know what you think
Ready to experience the benefits of always having the latest Chainguard Images in your projects? Head over to GitHub to explore the digestabot Action and start streamlining your Chainguard Image update process today! We are always looking for ways to improve the user experience for our Images and welcome any feedback you may have.
If you want to learn more about what’s in our Chainguard Images inventory or enterprise-ready capabilities, visit the Chainguard Images Directory or contact our team to get started.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.