After tj-actions/changed-files supply chain attack, I’ve been trying to tighten up my docker file security, by adding in the docker image hash
FROM golang:1.24.2@sha256:991aa6a6e4431f2f01e869a812934bd60fbc87fb939e4a1ea54b8494ab9d2fc6 AS build
dependabot is configured to update docker files, so later it automatically updated to
FROM golang:1.24.2@sha256:1ecc479bc712a6bdb56df3e346e33edcc141f469f82840bab9f4bc2bc41bf91d AS build
The question what is preventing a future supply chain attack from releasing a future corrupted docker image?
One that dependabot would dutifully update to within my repo.
I’m looking for a way to know that the change in hash for golang:1.24.2 was expected/authorized/valid
Thanks