Is there any command/way to get latest digest(sha256) for amazon/aws-lambda-nodejs:14. Currently, we are manually setting digest version sha256. Like, give below.

FROM amazon/aws-lambda-nodejs:14@sha256:621368a9c8cbf474b60ae9092725f6ea7ae4f9b0ac7a9229039e25157bad990b

We end up getting vulnerabilities after some time for the Docker image. Please suggest a way/command in Dockerfile to get the latest version or stable version while building a Docker image.

CodePudding user response：

The list of digests for each tag is available from a V2 registry JSON response for a specific tag in the images array:

curl -sfL "https://registry.hub.docker.com/v2/repositories/amazon/aws-lambda-nodejs/tags/14" \
 | jq -r '.images[] | "\(.os) \(.architecture) \(.digest)"'

Also from a local image in the RepoDigests array

docker pull amazon/aws-lambda-nodejs:14
docker inspect amazon/aws-lambda-nodejs:14 | \
 jq -r '.[].RepoDigests'

CodePudding user response：

If you specify an exact image hash like that, you'll always get that exact image, never a newer version or build.

It's more common to just specify the image tag

FROM amazon/aws-lambda-nodejs:14

If you docker pull the base image, it will contact the registry and try to get a newer version. It won't download versions or layers it already has, so this can be quick if the image hasn't changed upstream (or it can be slow if the base OS has an update and you need to download the whole thing again).

docker pull amazon/aws-lambda-nodejs:14
docker build .

docker build and docker-compose build both have --pull options that can do this automatically. If you're using Compose, for example, you can

docker-compose pull
docker-compose build --pull
docker-compose up -d

to get the newest build of any image mentioned in the docker-compose.yml file or in Dockerfile FROM lines.