Support image digest

[tokyowizard]

Would it be possible to use an image's digest instead of its tag?

Some images only upload latest tags, so it would be safer to lock to the digest of the image.

Defining the digest in the config.toml would be great. For example, something like:

[servers]
[servers.image]
type="pseudo"
    # Docker Hub
    [servers.image.images.update-go-cve-dictionary]
    name="vuls/go-cve-dictionary"
    digest="sha256:15e5a8abad0a2afb77e8c988b2c225d88778a5444b8d4740afc8c03d3ab03eb4"

    # Private ECR
    [servers.image.images.privateecr]
    name="xxxxx.dkr.ecr.us-west-1.amazonaws.com/imagename"
    digest="sha256:0123456789012345678901234567890123456789012345678901234567890123"

[tomoyamachi]

Avoid using "latest" or stable tag is one of the container's best practices.

Is it better to create and scan with an alias tag?

[tokyowizard]

Thank you for the reply!

Creating with an alias tag may require unnecessarily hosting a copy of the same image on another repository, because we may not be the owners of the original image.

Pinning-by-Digest is a best practice, so being able to specify the container's digest would allow this best practice.

[tomoyamachi]

I understand.
It is a piece of cake. Please wait to merge my PR.