How to handle security updates for Docker images?

Question

When you deploy an app as a Docker container, the image is built at deploy time, meaning the libraries only have a chance of being updated the next time you deploy/rebuild your image. Is there any recommended workflow/tools to handle rebuilding your image as soon as a dependency gets a (security) update?

radonek · Accepted Answer

To trigger a rebuild, you first need to know relevant upstream updates. To recognize them, you need to know your dependencies. Docker provides no means to track dependencies. In fact, avoiding dependency knowledge is one of its major selling points.I wont say it's impossible problem to tackle. But I doubt any solution you find could work better or be less complicated then regular packaging. Unlike docker, debhelper, rpm, ebuild and others were designed for this task, and have decades of experience in the field.

captaindiego · Answer

Mend Renovate

yuppie_scum · Answer

Dependabot