azu

azu / dockerfile-pin

Public

A CLI tool that adds @sha256:<digest> to FROM lines in Dockerfiles and image fields in docker-compose.yml to prevent supply chain attacks.

docker docker-compose security tools
12
0
100% credibility
Found Apr 01, 2026 at 12 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

A tool that automatically adds cryptographic digests to image references in Dockerfiles and docker-compose files to prevent supply chain attacks by pinning to specific image versions.

How It Works

1
🔍 Discover secure builds

You learn about a helpful tool that locks your software recipes to exact, trusted versions to stop bad updates from sneaking in.

2
📥 Get the tool

You easily download and place the tool on your computer with a simple grab-and-go step.

3
👀 Preview safety updates

You look at a safe preview of how it adds unique security codes to your build instructions without changing anything yet.

4
✏️ Apply the locks

You give the okay to update your files, adding those secure codes to make everything pinned and safe.

5
Verify it's secure

You run a quick check to confirm all your build images have the right security locks and point to real versions.

6
🔄 Add to your routine

You set it up to automatically check and protect your builds every time you or your team makes changes.

🏆 Builds fully protected

Now your software builds always use the exact trusted versions you chose, keeping everything safe from surprise changes.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 12 to 12 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is dockerfile-pin?

dockerfile-pin is a Go CLI tool that scans your Dockerfiles and docker-compose.yml files, adding exact @sha256 digests to unpinned FROM lines and image fields. It locks images to prevent supply chain attacks by ensuring builds always pull the same verified content, even if tags move. Run it as dockerfile-pin run for dry-run previews or writes, or dockerfile-pin check to validate pins in CI.

Why is it gaining traction?

Unlike manual docker pull | docker inspect workflows, it auto-detects files via git ls-files or globs, handles ARG expansions, platforms like linux/amd64, and private registries via your Docker config. GitHub Actions integration is dead simple—drop it into PR checks with ubuntu-latest runners—and it outputs JSON for automation. As a lightweight CLI tool in Go, it installs via go install, Homebrew, or GitHub releases for Linux, Mac, and Windows.

Who should use this?

DevOps teams enforcing reproducible Docker builds in monorepos with multiple Dockerfiles. CI/CD pipelines needing PR gates for unpinned images, especially with docker-compose services pulling from GHCR or ECR. Security-focused devs migrating legacy Dockerfiles without breaking multi-stage setups.

Verdict

Solid for pinning Docker images securely, with excellent docs and test coverage despite just 12 stars and 1.0% credibility score—it's early but production-ready for small teams. Pair with Renovate for digest updates if you're all-in on supply chain hardening.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.