Details
-
Suggestion
-
Resolution: Fixed
Description
Since we use public available images from sources like Docker Hub we could not guarantee that someone modifies the image. Worst case an attacker could change the image to put a trojan in our binaries.
So, how to prevent this?
I think that it will be a very good idea to add a checksum verification to Pipelines. This way, we could test and analyze the image. Combined with the checksum we could guarantee that the tested and analyzed image is used for builds.