I always thought that when I build the Dockerfile for my application, the latest version of the base image is downloaded from the registry (and in this way I have a fresh version with all the security patches in the base image).
However I now read that Docker:
- Uses the existing tag on the local machine if it exists
- The FROM command creates a layer that is cached
Is that true? So my assumption above is wrong?
Consider a simple Ruby application:
FROM ruby:3.0
...
On Docker Hub the image is frequently updated with security patches of the OS, etc. However the tag remains the same for months or years (e.g. ruby:3.0). However there is caching (point 1 and 2) and every time that you build your app you get a stale version of the base image (!?).
What do you do to ensure security patches of your base images? Do you disable the cache to ensure the download of the latest version? How? What are the current best practices?
It seems that everyone online is ignoring this security risk and just to have some speed benefit (caching). And caching is the default behavior of Docker! It's really surprising that the default behavior is insecure... Or maybe I am missing something?
