Skip to main content

Why avoid cached images

It’s advised to pull a fresh image even if an image with the same tag already exists locally. This is because Minimus often delivers vulnerability fixes without a change in the image version tag. To get a sense of the number of times the same image version can be rebuilt, consider the digest history for python version 3.13.5. The same image version tag will often have many image digests, but if you don’t force a fresh pull, a cached image will be used. This can expose you to unnecessary risks. Learn about the digest history in Minimus

Force a fresh pull

Here’s how to pull the latest version of the image from the registry, even if a local copy of the image already exists. The particular instructions depend on whether you are working in Docker, Kubernetes, or Helm charts:
  • Docker:
    • docker run: use --pull always
    • docker build: add --pull to pull the latest version of the base images in your FROM statements before building, even if a local copy already exists.
    • docker compose: add --pull always to pull the latest version of the images.
  • Kubernetes: set imagePullPolicy: Always
  • Helm charts:
    • For deployment.yaml set: image.pullPolicy: Always
    • For values.yaml set:

Keeping up to date

You can use actions to be notified when a new image version is released and when important fixes are shipped. You can configure the action as per your preferences to help you match your notification policy to updates that you think justify moving to a new image version.
Last modified on June 9, 2026