I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
rn I’m only using docker for the services I have behind a VPN, so I don’t really put that much thought into securing them. If I had any publicly accessible ones I would setup an automatic patch or even build my custom images.
And as always I’m trying to up my security game, but not at any cost