DEV Community

Jonas Brømsø
Jonas Brømsø

Posted on

Weird PR for Python Base Docker Image, do not know how to read it

#docker #pr #dependabot #security

I have recently written about pinning Docker images

And I am starting to use this for my various repositories using Docker.

Now I have received a PR from Dependabot, which looks weird.

It looks different than they normally at it came after another recent PR:

The PR wants to bump my Docker base image for Python

# Python 3.13.5-slim-bookworm
FROM python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Enter fullscreen mode Exit fullscreen mode

Bumps python from f2fdaec to 5f69d22.

If I pull the image from DockerHub and inspect it I do find the checksum I already know

docker pull python:3.13.5-slim-bookworm
docker inspect python:3.13.5-slim-bookworm |jq -r '.[] | .RepoDigests[]'
python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Enter fullscreen mode Exit fullscreen mode

Where:

  • f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81

Resembles:

  • f2fdaec

But not:

  • 5f69d22

I have deleted the local image and pulled it again with the exact same result.

If somebody knows how I should read this do let me know

Top comments (1)

Collapse
 
jonasbn profile image
Jonas Brømsø

Solution found, the unknown or rather unidentified SHA, was point to latest, with a little IA assistance I ended up with this:

curl -s "https://registry.hub.docker.com/v2/repositories/library/python/tags/?page_size=50" | python3 -m json.tool |jq '.results[] | select(.digest == "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b") | {nam
e, digest, last_updated}'
{
  "name": "latest",
  "digest": "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b",
  "last_updated": "2025-06-13T03:10:06.102742Z"
}
{
  "name": "3.13.5",
  "digest": "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b",
  "last_updated": "2025-06-13T03:08:51.583464Z"
}
Enter fullscreen mode Exit fullscreen mode

Lifted from: