Summary
The ghcr.io/complianceascode/k8scontent container image does not have tags corresponding to the v0.1.79 and v0.1.80 releases. The :latest tag is pinned to a June 2025 build (commit b01ffe68cc1320ee472408798bc56d83cfbfb1f7), which predates both releases.
Evidence
# :latest is from June 2025 — predates v0.1.78 (Sep 2025), v0.1.79 (Nov 2025), v0.1.80 (Mar 2026)
$ skopeo inspect --override-arch amd64 --override-os linux docker://ghcr.io/complianceascode/k8scontent:latest
"Created": "2025-06-13T17:17:53.170052561Z"
"org.opencontainers.image.revision": "b01ffe68cc1320ee472408798bc56d83cfbfb1f7"
# No version-tagged images exist
$ skopeo inspect docker://ghcr.io/complianceascode/k8scontent:v0.1.79
name unknown: repository not found
$ skopeo inspect docker://ghcr.io/complianceascode/k8scontent:v0.1.80
name unknown: repository not found
Impact
The compliance-operator references k8scontent:latest in its deployment manifest via RELATED_IMAGE_PROFILE. Since :latest hasn't been updated since June 2025:
- Scan results are not reproducible — different clusters pulling
:latest at different times could get different content if the tag ever updates
- New features are unavailable — v0.1.80 added
sshd_runtime_check for RHCOS (products/rhcos4/product.yml), but no cluster using the published images will have it
- No way to pin to a release — without version-tagged images, users cannot reference a specific content release for reproducibility
Request
- Publish
ghcr.io/complianceascode/k8scontent:v0.1.79 and ghcr.io/complianceascode/k8scontent:v0.1.80 images
- Update
:latest to point to the current release (v0.1.80) — the compliance-operator defaults to :latest when RELATED_IMAGE_PROFILE is not overridden
- Consider publishing version-tagged images as part of the release process going forward (the
Dockerfiles/ocp4_content Dockerfile already exists for this purpose)
Summary
The
ghcr.io/complianceascode/k8scontentcontainer image does not have tags corresponding to the v0.1.79 and v0.1.80 releases. The:latesttag is pinned to a June 2025 build (commitb01ffe68cc1320ee472408798bc56d83cfbfb1f7), which predates both releases.Evidence
Impact
The compliance-operator references
k8scontent:latestin its deployment manifest viaRELATED_IMAGE_PROFILE. Since:latesthasn't been updated since June 2025::latestat different times could get different content if the tag ever updatessshd_runtime_checkfor RHCOS (products/rhcos4/product.yml), but no cluster using the published images will have itRequest
ghcr.io/complianceascode/k8scontent:v0.1.79andghcr.io/complianceascode/k8scontent:v0.1.80images:latestto point to the current release (v0.1.80) — the compliance-operator defaults to:latestwhenRELATED_IMAGE_PROFILEis not overriddenDockerfiles/ocp4_contentDockerfile already exists for this purpose)