The Image Pipeline

Every Deploy Is an Image Movement

Modern delivery is not "copy code to server". It's:

git push ──▶ CI builds image ──▶ scan ──▶ push to registry ──▶ prod pulls & runs
             docker build        CVEs     docker push          docker run

A minimal, honest pipeline in four commands:

$ docker build --build-arg BUILD_VERSION=$GIT_SHA -t app:$GIT_SHA .
$ docker scout cves app:$GIT_SHA        # or trivy/grype - fail on criticals
$ docker tag app:$GIT_SHA registry.corp/app:$GIT_SHA
$ docker push registry.corp/app:$GIT_SHA

Build args parameterize the build (versions, target platforms) without editing the Dockerfile:

ARG BUILD_VERSION
LABEL org.opencontainers.image.version=$BUILD_VERSION
RUN echo "$BUILD_VERSION" > /version.txt
Warning: ARG values can end up in docker history - never pass secrets as build args. For private registries during build, use BuildKit secret mounts (--secret), which never enter layers.
Tip: Label images with the standard org.opencontainers.image.* keys (version, revision, source). Six months into an incident, docker inspect telling you the exact git commit is priceless.