DEV Community

Jonas Brømsø
Jonas Brømsø

Posted on

Weird PR for Python Base Docker Image, do not know how to read it

#docker #pr #dependabot #security

I have recently written about pinning Docker images

And I am starting to use this for my various repositories using Docker.

Now I have received a PR from Dependabot, which looks weird.

It looks different than they normally at it came after another recent PR:

The PR wants to bump my Docker base image for Python

# Python 3.13.5-slim-bookworm
FROM python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Enter fullscreen mode Exit fullscreen mode

Bumps python from f2fdaec to 5f69d22.

If I pull the image from DockerHub and inspect it I do find the checksum I already know

docker pull python:3.13.5-slim-bookworm
docker inspect python:3.13.5-slim-bookworm |jq -r '.[] | .RepoDigests[]'
python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Enter fullscreen mode Exit fullscreen mode

Where:

  • f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81

Resembles:

  • f2fdaec

But not:

  • 5f69d22

I have deleted the local image and pulled it again with the exact same result.

If somebody knows how I should read this do let me know

profile
Warp
 Promoted

Warp.dev image

The best coding agent. Backed by benchmarks.

Warp outperforms every other coding agent on the market, and gives you full control over which model you use. Get started now for free, or upgrade and unlock 2.5x AI credits on Warp's paid plans.

Download Warp

Top comments (1)

Collapse
 
jonasbn profile image
Jonas Brømsø

Solution found, the unknown or rather unidentified SHA, was point to latest, with a little IA assistance I ended up with this:

curl -s "https://registry.hub.docker.com/v2/repositories/library/python/tags/?page_size=50" | python3 -m json.tool |jq '.results[] | select(.digest == "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b") | {nam
e, digest, last_updated}'
{
  "name": "latest",
  "digest": "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b",
  "last_updated": "2025-06-13T03:10:06.102742Z"
}
{
  "name": "3.13.5",
  "digest": "sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b",
  "last_updated": "2025-06-13T03:08:51.583464Z"
}
Enter fullscreen mode Exit fullscreen mode

Lifted from:

profile
Guardsquare
 Promoted

You Know That Your Mobile App Needs Security. Here\

You Know That Your Mobile App Needs Security. Here's How to Get Started

Mobile apps have become a cornerstone of modern life. With billions of users, they have become a prime target for attackers. By implementing strong mobile app security, organizations can prevent IP theft, revenue loss, and an erosion of user trust.

Read the guide

👋 Kindness is contagious

Discover fresh viewpoints in this insightful post, supported by our vibrant DEV Community. Every developer’s experience matters—add your thoughts and help us grow together.

A simple “thank you” can uplift the author and spark new discussions—leave yours below!

On DEV, knowledge-sharing connects us and drives innovation. Found this useful? A quick note of appreciation makes a real impact.

Okay