fix: support Docker images with SHA256 digests #340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add test cases to verify parsing of Docker image references that include SHA256 digests. These tests cover: - Images with both tag and SHA256 digest (e.g., node:18@sha256:...) - Images with only SHA256 digest (e.g., node@sha256:...) - Both library and namespaced images The tests are currently failing as the parser doesn't handle SHA256 digests correctly yet.
Update the Docker image regex to correctly parse image references that include SHA256 digests. The new regex pattern: - Captures the tag portion before any @ symbol - Recognizes and validates SHA256 digests (64 hex characters) - Maintains backward compatibility with existing image formats This fixes the "Missing image tag" error for images like: cimg/node:22.11.0@sha256:76aae59c6259672ab68819b8960de5ef571394681089eab2b576f85f080c73ba Fixes the issue where valid Docker images pinned with SHA256 hashes were incorrectly flagged as having missing tags.
Add a Digest field to the DockerImageInfo structure to preserve SHA256 digests when parsing Docker image references. While the digest is not currently used in validation or other features, this change enables future enhancements such as: - Security warnings for images using mutable tags - Digest-based image verification - Supply chain security features - Improved error messages distinguishing tags from digests This is a backward-compatible change that lays the groundwork for enhanced Docker image security features in the language server. The parser now correctly extracts and stores the digest portion (e.g., "sha256:76aae59...") separately from the tag, making it available for future use while maintaining all existing functionality.
Changed the parser to accept any string after @ as a digest, moving the validation of digest format to the validation layer. This provides better separation of concerns: - Parser: Extracts structure from the input - Validator: Checks if the structure is valid This change allows the parser to successfully parse images with invalid digest formats (like 'cimg/go:1.24@foo'), which can then be properly validated and reported as errors in the validation phase.
Implemented validation for Docker image digest formats in the validation layer. The parser now accepts any string after '@' as a digest, and the validator checks if it matches the expected SHA256 format. Changes: - Added isValidDockerDigest() function to validate digest format - Digest must match pattern: sha256:[64 hex characters] - Invalid digests show clear error messages - Skip tag recommendations when digest is present (digests uniquely identify images) This completes the separation of concerns between parsing and validation, providing better error messages for invalid digest formats.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes an issue where Docker images containing SHA256 digests (e.g.,
cimg/node:22.11.0@sha256:76aae...) incorrectly triggered "Missing image tag" errors.The fix properly supports Docker image references that use SHA256 digests for pinning to specific image versions, which is a common practice for ensuring reproducible builds and enhanced security.
This change pursues the same goal as #313, but that PR has been inactive for more than six months, so I reassessed the approach and implemented it anew.
I also considered verifying that the digest actually exists and, when a tag is present alongside a digest, that both refer to the same manifest. However, Docker Hub provides no direct API for digest look-ups and the added complexity seemed unwarranted, so this PR limits itself to parsing and validating the digest format.
Implementation details
Parser Changes (
pkg/parser/dockerImageParser.go)@as a digest:(@(.+))?$Digestfield toast.DockerImageInfostructure for storing the digest valueValidation Changes (
pkg/parser/validate/)isValidDockerDigest()function to validate digest formatsha256:[64 hex characters]"Invalid Docker image digest format \"foo\". Expected format: sha256:<64 hexcharacters>"How to validate