Skip to main content
ClawQL
SecurityTraining · Part 1/30

Agentic AI security curriculum · Security overview

Container Image Security: Pinning, Distroless Pipelines, Mirror Registries, and Golden Images

Pinning, Distroless Pipelines, Mirror Registries, and Golden Images

Hello and welcome to Module 1!

This is where we lay the absolute foundation of our entire security posture. Think of container images as the “DNA” of every workload that runs in your agentic platform. If that DNA is corrupted or untrusted, nothing else downstream—no admission controls, no runtime enforcement, no monitoring—can fully save you.

In this module we’ll turn the most common supply-chain attack vector into something that is provably, repeatably, and automatically secure. By the end you’ll understand exactly why digest pinning is non-negotiable, why a private mirror registry gives you the highest ROI of any single architectural decision, and how a golden-image pipeline plus distroless bases removes entire categories of attacks before your agents even start.

Let’s dive in.

The Problem with Unpinned Images

Imagine you’re building the same agent every day. You write FROM node:22 (or python:3.12, etc.) in your Dockerfile and everything works perfectly… until one Tuesday morning when the upstream publisher silently updates the latest tag (or even a specific version tag) with a new layer that contains malware.

That is exactly how most real-world supply-chain attacks happen.

Here’s why unpinned images are catastrophic for agentic platforms:

  • The latest tag resolves to a different image every time you pull. There is literally no guarantee that what runs in production tomorrow is the same thing that passed your security scan yesterday.

  • Upstream maintainers can (and sometimes do) push updates to existing tags without changing the tag name. This breaks reproducibility and makes audit trails meaningless.

  • The majority of supply-chain attacks target the base image layer, not your application code, because it’s the easiest way to get code execution inside thousands of downstream deployments.

  • Mutable tags make it impossible to answer the simple question: “What exact bytes were running when this incident occurred?”

Real-world consequence: A single malicious update to a popular base image can give an attacker shell access inside every agent that pulls it. We’ve seen this pattern in the wild far too many times.

Digest Pinning — The Cryptographic Fix

The solution is simple in concept but powerful in practice: never reference an image by tag; always pin to its cryptographic digest.

Instead of:

FROM node:22

You write:

FROM node@sha256:abc123def456... (the full 64-character SHA-256 digest)

Why this works so well:

  • A digest is cryptographically bound to the exact bytes of the image. Changing even a single bit changes the digest.

  • You cannot “silently update” a digest-pinned image — the reference itself would have to change.

  • Every time the digest changes, your CI pipeline runs the full security scan again (which is exactly what we want).

Practical workflow:

  1. Your Dockerfile always uses a digest (never a tag).

  2. Use Renovate or Dependabot to automatically propose digest updates as PRs.

  3. Every PR that changes a digest triggers Trivy, OSV-Scanner, and your full test suite.

  4. Only after all gates pass does the new digest get merged and promoted.

This turns “image updates” from a risky manual process into a safe, auditable, automated one.

Private Mirror Registry with Harbor — Your Single Source of Truth

Never, ever pull directly from Docker Hub, Quay, or any public registry in production. That is the architectural decision with the highest supply-chain ROI in the entire curriculum.

We use Harbor as our private mirror registry for three reasons:

  • Pull-through cache: It automatically caches approved images from upstream so you’re not hammering public registries.

  • Scanning & allowlisting gate: Every image must pass Trivy + OSV-Scanner before it is allowed into the production allowlist. Images that fail are quarantined.

  • Replication & access control: Harbor can replicate approved images to regional replicas for low latency and high availability. Only the CI system is allowed to push; all pods pull only, using pull secrets scoped per namespace.

How the flow works in practice:

  1. CI pipeline builds or updates an image → scans it.

  2. If clean, it is pushed to Harbor under a project like approved/.

  3. Harbor’s replication policies sync it to other regions.

  4. All production workloads reference only harbor.yourcompany.com/approved/...@sha256:...

This gives you a single, auditable source of truth and removes the public internet as a dependency for production workloads.

SBOM Generation — Know Exactly What’s Inside

You can’t defend what you can’t see. That’s why we generate a Software Bill of Materials (SBOM) at build time.

Tools we love:

  • Syft (from Anchore)

  • Docker BuildKit with --sbom flag

Example in your CI:

docker build --sbom=true -t myimage@sha256:... .

The SBOM records every package, version, license, and source. We store the SBOM alongside the image digest in Harbor as an attached artifact (using OCI artifacts).

Why this is gold for agentic platforms:

  • When a new CVE drops, you can instantly query “which of our 400 golden images and application images contain this package?” without re-scanning everything.

  • It powers rapid blast-radius assessment during incident response.

Distroless Base Images — Removing the Attacker’s Toolbox

Standard base images ship with a shell, package manager, curl, wget, and dozens of other utilities. None of these are needed at runtime for most agents.

Distroless images (from Google or built with FROM scratch) contain only:

  • The runtime (Node, Python, JVM, etc.)

  • Your application binary or code

Benefits that are huge for security:

  • No shell → no sh -c "malicious command" execution path.

  • No package manager → no apt install or pip install pivot.

  • Dramatically smaller attack surface.

Multi-stage build pattern (the gold standard):

Stage 1: Build

FROM node:22 AS builder

WORKDIR /app

COPY . .

RUN npm ci && npm run build

Stage 2: Distroless runtime

FROM gcr.io/distroless/nodejs22

COPY --from=builder /app/dist /app

CMD ["index.js"]

The Golden Image Pipeline — One Hardened Base to Rule Them All

Instead of every team making their own hardening decisions, we define golden base images for each runtime:

  • golden/node:22-distroless

  • golden/python:3.12-distroless

  • etc.

How the pipeline works:

  1. Built weekly or on any upstream CVE disclosure.

  2. Scanned, signed with Cosign, and promoted to Harbor.

  3. Every application Dockerfile starts with FROM harbor.yourcompany.com/golden/node@sha256:...

  4. Hardening (non-root user, read-only filesystem, dropped capabilities) is applied once at the golden layer.

This gives you consistent, auditable hardening across the entire fleet instead of per-application guesswork.

Trivy + OSV-Scanner Integration — Shift-Left Scanning

We run two complementary scanners in CI on every PR that touches a Dockerfile or lockfile:

  • Trivy: Container image and filesystem scanner (catches OS packages, language libraries, secrets, misconfigurations).

  • OSV-Scanner: Checks Go modules, npm, pip, Cargo, etc. against the Open Source Vulnerabilities database.

Policy:

  • Fail the build on CRITICAL or HIGH severity issues with no fix available.

  • Scan results are uploaded as signed artifacts alongside the image digest.

  • Weekly scheduled scans against all images in Harbor catch newly disclosed CVEs.

Key Takeaways (Memorize These!)

  • Digest pinning is non-negotiable — tag pinning is not pinning.

  • A private mirror registry (Harbor) is the single highest-ROI architectural decision in the entire supply chain.

  • Distroless images remove entire attack categories, not just individual vulnerabilities.

  • SBOMs are the prerequisite for vulnerability management at scale.

  • The golden image pipeline means one hardened, reviewed base applied everywhere — far better than per-app decisions.

Next Steps & Hands-On Challenge

  1. Take any existing Dockerfile in your project and convert it to digest pinning + distroless.

  2. Stand up a local Harbor instance (or use the official Helm chart) and configure it as a pull-through cache.

  3. Add Trivy + OSV-Scanner to your CI and watch the first scan results come in.

You’ve just taken the single biggest step toward supply-chain security for your agentic platform.