The Image Pipeline
Every Deploy Is an Image Movement
Modern delivery is not "copy code to server". It's:
git push ──▶ CI builds image ──▶ scan ──▶ push to registry ──▶ prod pulls & runs
docker build CVEs docker push docker run
A minimal, honest pipeline in four commands:
$ docker build --build-arg BUILD_VERSION=$GIT_SHA -t app:$GIT_SHA .
$ docker scout cves app:$GIT_SHA # or trivy/grype - fail on criticals
$ docker tag app:$GIT_SHA registry.corp/app:$GIT_SHA
$ docker push registry.corp/app:$GIT_SHA
Build args parameterize the build (versions, target platforms) without editing the Dockerfile:
ARG BUILD_VERSION
LABEL org.opencontainers.image.version=$BUILD_VERSION
RUN echo "$BUILD_VERSION" > /version.txt
Warning:ARGvalues can end up indocker history- never pass secrets as build args. For private registries during build, use BuildKit secret mounts (--secret), which never enter layers.
Tip: Label images with the standardorg.opencontainers.image.*keys (version, revision, source). Six months into an incident,docker inspecttelling you the exact git commit is priceless.