Add comprehensive validation to enforce SHA256 digest pinning across all
Docker image references (Dockerfiles, docker-compose, and workflow files).
New Files:
- .github/scripts/validate-docker-compose-images.sh
Bash script that validates docker-compose.yml files for unpinned images.
Allows documented exceptions for own images and templates.
- .github/scripts/validate-workflow-images.py
Python script with proper YAML parsing to validate GitHub Actions
workflow service containers and container images.
- .github/workflows/validate-image-pinning.yml
CI workflow that runs both validators on PR changes. Provides clear
error messages and fix instructions when violations are found.
Why This Matters:
Image tags are mutable and can be reassigned to malicious images in supply
chain attacks. SHA256 digests are immutable cryptographic identifiers that
guarantee the exact same image bytes every deployment.
This validation:
- Blocks PRs with unpinned images
- Shows violations directly in PR checks (not just Security tab)
- Provides clear fix instructions
- Runs efficiently (only on relevant file changes)
Complements:
- PR #1184 (pins Dockerfile and workflow images)
- PR #1218 (pins docker-compose images)
