Images used in modules should be be pulled by digest and not by tag

[worldtiki]

Currently the images used in the test containers modules are being pulled by tag.
This has several disadvantages, the biggest one being a possible attack vector if the owner's account for those images in Docker is compromised.
I understand that users can override and pull whatever image they want but it would be nice to have a more secure default.

I was going to submit a pr with these changes but I noticed that some images were already being pulled by digest before and this was changed to tags (example: #1406).

I want to know if there is interest in doing this. If so I can help. It's also unclear what kind of architectures are supported with Testcontainers (eg: arm?) which will influence the approach in case you feel like implementing this change.

[rnorth]

Thanks - this is a good suggestion. I'm not 100% sure what to do about it either at this stage, but security and test reproducibility are obvious advantages.

There are some potential problems, so perhaps let's enumerate those and see if we can collectively find some solutions.

#1406 - can't use SHA256 image digests offline

This could be solved. It would require us to make a change to docker-java as well so that the right information about available images is exposed.

#1345 - changes to image pull policy

This is not a problem, but one to think about. We're very close to being able to merge it, so I think it'll be best to do that and then reflect on any further pull-related changes that we'd need for digests (there may be nothing to add).

Architectures

As far as I know we are amd64-only. I don't have any strong aspirations to expand to other architectures right now, and our essential 'support' images mean that we know we're not usable on other architectures.

We should probably consider the impact of other architectures on the design, though - i.e. not design ourselves into a corner that would cause breaking API changes somewhere down the line.

Legibility

Everywhere that we replace an image tag with a SHA256 digest, it becomes a little harder for people to quickly understand which version of the image is being used. I don't know if perhaps we should have some other mechanism for resolving a tag to a digest, or have a simple policy of comments in code to describe digests in human-readable form, or something else...

Deletion of old layers

IIRC Docker Hub does delete layers that are no longer referenced from a tag. This could be a critical blocker, and I'd like to check this before we do anything.

[MinnDevelopment]

Hello, can this be re-prioritized? After the recent incident with the trivy image we want to pin all tags using digests for improved security. Are there any good workarounds for this?