Container base images (like Official Docker Hub images) are often updated without new tag versions. I call this Silent Rebuilds. There's no way to know this happens without image digest-checking automation like Dependabot and Renovate with specific settings. Failure to keep up-to-date is a prime source of vulnerabilities that can lead to serious security breaches. Automate the updates!Check out the video podcast version here: https://youtu.be/z_ahbsSc4Fo🙌 The Agentic DevOps Guild has launched! It's a training + community + mentorship program for engineers wanting to learn the latest CI/CD automation and dive into Agentic DevOps. Meetups are happening now, with new course videos dropping every few weeks. Join the Guild and become your team's leader in AI for infrastructure automation https://www.bretfisher.com/theguild 🍾★Show Links★Course waitlist: GitHub Actions Prohttps://www.bretfisher.com/blog/silent-rebuildshttps://github.com/BretFisher/silent-rebuildshttps://www.bretfisher.com/chainguard-eventCreators & Guests Cristi Cotovan - Editor Bret Fisher - Host Beth Fisher - Producer Nirmal Mehta - Host You can also support this podcast by subscribing to my YouTube channel and my weekly newsletter at bret.news!Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com (00:00) - Intro (05:30) - Docker Security and Image Builds (10:13) - CVEs in Containers (11:39) - Where we were (15:26) - Silent Builds and Mutable Tags (18:44) - Docker Official Image Tags Are Rebuilt Often (21:14) - Chainguard's Tool (21:34) - Tag Tracker Tool Overview (26:13) - High Fivers DevOps Group (28:16) - Problem of Silent Rebuilds (36:33) - Post-Stream Updates