Pin base image digests + auto-update via Renovate

[BergCyrill]

Why

OSSF Scorecard flagged Pinned-Dependencies (Medium, normalized to 6/10) because base images are tag-only. Tags are mutable — a republished tag silently changes binary contents and is a supply-chain vector. Digest pinning closes that; the Renovate preset keeps the digests fresh.

What

• Dockerfile — @sha256:... on the 4 external FROM lines (1, 28, 34, 41). Lines 18/23 are local stage refs, nothing to pin.
• renovate.json — added docker:pinDigests so Renovate auto-PRs digest updates when tags get republished.

Digests verified via crane digest against the live multi-arch indexes.

Test plan

• docker buildx build --check --target controller . passes
• jq confirms renovate.json is valid
• Next Scorecard run shows Pinned-Dependencies ≥ 9/10

Summary by CodeRabbit

• Chores
  • Updated Docker image configurations for improved build reproducibility and consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 845afd77-93a2-4036-a1ae-703ee4aad104

📥 Commits

Reviewing files that changed from the base of the PR and between 5d2b00f and dbd8f83.

📒 Files selected for processing (2)

• Dockerfile
• renovate.json

---

📝 Walkthrough

Walkthrough

This PR pins Docker base images in the Dockerfile to specific content digests rather than floating tags, and configures Renovate to automatically manage those digests. The golang builder and all distroless runtime stages now reference immutable image digests for reproducibility and supply-chain security.

Changes

Container Image Digest Pinning

Layer / File(s)	Summary
Docker image digest pinning Dockerfile	Golang 1.26.3 builder stage and all three distroless runtime stages (controller, webhook, combined) pinned from tag-based to digest-based image references.
Renovate digest automation renovate.json	docker:pinDigests preset added to the extends configuration to enable automated digest updates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• opendefensecloud/dependency-controller#62: Related configuration preset update to renovate.json for automated GitHub Actions digest pinning.

Suggested reviewers

• Perseus985

Poem

🐰 Digests pinned tight, no more floating tags,
Renovate stands guard through future drags,
Supply chain secured, containers locked in place,
Reproducible builds at a steady pace! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: pinning base image digests and enabling Renovate for automatic updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/no-ref/pin-docker-image-digests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BergCyrill]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[BergCyrill]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.