Skip to main content

Why avoid cached images

It’s advised to pull a fresh image even if an image with the same tag already exists locally. This is because Minimus often delivers vulnerability fixes without a change in the image version tag. To get a sense of the number of times the same image version can be rebuilt, consider the digest history for python version 3.13.5. The same image version tag will often have many image digests, but if you don’t force a fresh pull, a cached image will be used. This can expose you to unnecessary risks. Learn about the digest history in Minimus

Force a fresh pull

Here’s how to pull the latest version of the image from the registry, even if a local copy of the image already exists. The particular instructions depend on whether you are working in Docker, Kubernetes, or Helm charts:
  • Docker: use --pull for docker build, --pull always for docker run and docker compose
docker run --pull always {image}
  • Kubernetes: set imagePullPolicy: Always
  • Helm charts:
    • For deployment.yaml set: image.pullPolicy: Always
    • For values.yaml set: 
       image:
   pullPolicy: Always

Keeping up to date

You can use actions to be notified when a new image version is released and when important fixes are shipped. You can configure the action as per your preferences to help you match your notification policy to updates that you think justify moving to a new image version.
I