Explicitly specify docker.io to prevent potential repository squatting
agardnerIT opened this issue · 0 comments
agardnerIT commented
The docker-compose.yaml
currently points to:
image: jaegertracing/all-in-one:1.42
...
image: thomaspoignant/go-feature-flag-relay-proxy:v1.4.0
These images should be updated to explicitly use docker.io (or another repo) and not leave the resolution up to the client.
Leaving the client to decide where to pull these images from opens the potential for malicious actors to claim that space on a different repo (eg. quay.io) and if the client decides to pull from their repo - that means the end-user receives an "unofficial" version - which could contain malware.
Summary: Change those image
lines to point explicitly to a repo.