Golden Base Image Checklist (Pin, Scan, SBOM, Sign)

Why this matters

• Reduces drift and vulnerability noise.
• Makes provenance and admission policies practical (verifyImages, org-allow).

Checklist (do this per refresh)

1. Choose base & runtime (language distro + minimal runtime).
2. Pin digests
   • Pull tags → record RepoDigests.
   • Paste those digests into your Dockerfile.base.
   • Example commands:

     docker pull golang:1.22-alpine
     docker inspect --format='{{index .RepoDigests 0}}' golang:1.22-alpine
     docker pull gcr.io/distroless/static:nonroot
     docker inspect --format='{{index .RepoDigests 0}}' gcr.io/distroless/static:nonroot
     

3. Build base with your Make target (e.g., make base-build).
4. Scan base image (e.g., make base-scan) → artifacts/trivy-image-base.json.
5. Generate SBOM of base (e.g., make base-sbom) → artifacts/sbom-base.json.
6. Sign SBOM (or image digest) with Cosign (e.g., make base-sign) → bundle in artifacts/.
7. Apply allow-list policy in admission (org registry/prefix) and verifyImages (pubkey).
8. Document date, digests, SBOM, signature bundle, and scan summary.

Maintenance cadence

• Monthly refresh (or faster on critical CVEs).
• Keep last 3 generations with metadata and artifacts.

Release note (example)

• Base: your-reg/your-app:base-2025-10-19@sha256:...
• SBOM: artifacts/sbom-base.json (signed)
• Scan: artifacts/trivy-image-base.json (no High/Critical)