# Your Images are Out of Date (probably) - The Silent Rebuilds problem Page: https://stenobird.com/podcast/devops-and-docker-talk-cloud-native-interviews-and-tooling/your-images-are-out-of-date-probably-the-silent-rebuilds-problem Text version: https://stenobird.com/podcast/devops-and-docker-talk-cloud-native-interviews-and-tooling/your-images-are-out-of-date-probably-the-silent-rebuilds-problem.md Podcast: [DevOps and Docker Talk: Cloud Native Interviews and Tooling](https://stenobird.com/podcast/devops-and-docker-talk-cloud-native-interviews-and-tooling) Published: 2026-03-04T19:23:46+00:00 Episode link: https://podcast.bretfisher.com/episodes/your-images-are-out-of-date-probably-the-silent-rebuilds-problem Audio file: https://media.transistor.fm/a9cc668b/27c90c17.mp3 Processing state: processed JSON: https://stenobird.com/v1/public/podcasts/devops-and-docker-talk-cloud-native-interviews-and-tooling/episodes/your-images-are-out-of-date-probably-the-silent-rebuilds-problem Duration seconds: 2339 ## Resource Official Docker Hub tags are mutable, meaning upstream providers can rebuild images without changing the version tag. This 'silent rebuild' phenomenon introduces unvetted changes and new vulnerabilities into your production environment without warning. ## Highlights - Main idea: Official Docker Hub tags are mutable, allowing upstream maintainers to push new image digests under the same version tag - Failure mode: Relying on mutable tags leads to 'silent rebuilds' where your production environment changes without a corresponding code commit or notification - Practical takeaway: Use tools like Renovate or Dependabot with specific configurations to track digest changes and automate updates - Security risk: Untracked image updates are a primary source of unexpected CVEs in otherwise stable container environments - Best practice: Pin images to their specific SHA256 digests to ensure deterministic builds and prevent unvetted upstream changes ## Topics Docker, Container Security, DevOps, CVE, CI/CD, GitHub Actions, Dependabot, Renovate, Infrastructure as Code, Cloud Native ## Chapters - 1:00 — The Upstream Dependency Problem: An overview of how reliance on upstream-controlled base images like Debian, Alpine, or Wolfgard creates a hidden layer of dependency management. - 9:40 — The Illusion of Security Scanning: Why a clean security scan at build time is temporary, as new vulnerabilities emerge in existing images as they age. - 15:50 — The Impact of Silent Rebuilds: Exploring how even when you pin to a version like Python 3.13, the underlying layers can change without notice. - 18:45 — The Mutability of Docker Tags: A deep dive into how Docker Hub and Harbor handle tag mutability and the risks of using non-immutable tags. - 21:30 — Automating Digest Tracking: Introduction to the 'Tag Tracker' concept and using tools to monitor changes in image digests. - 33:05 — The Solution: Digest Pinning and Automation: How to implement Renovate or Dependabot to catch silent rebuilds and move toward a zero-CVE architecture. ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/devops-and-docker-talk-cloud-native-interviews-and-tooling/episodes/your-images-are-out-of-date-probably-the-silent-rebuilds-problem/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/devops-and-docker-talk-cloud-native-interviews-and-tooling/your-images-are-out-of-date-probably-the-silent-rebuilds-problem.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.