https://github.com/honeok/pinker

A CLI tool to automatically pin Docker image tags to SHA256 digests for reproducible and secure builds. 🐳
https://github.com/honeok/pinker

cli devops docker docker-compose dockerfile golang security

Last synced: 18 days ago
JSON representation

A CLI tool to automatically pin Docker image tags to SHA256 digests for reproducible and secure builds. 🐳

• Host: GitHub
• URL: https://github.com/honeok/pinker
• Owner: honeok
• License: apache-2.0
• Created: 2026-01-06T08:40:02.000Z (25 days ago)
• Default Branch: master
• Last Pushed: 2026-01-12T19:19:01.000Z (19 days ago)
• Last Synced: 2026-01-13T00:42:59.270Z (19 days ago)
• Topics: cli, devops, docker, docker-compose, dockerfile, golang, security
• Language: Go
• Homepage:
• Size: 33.2 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# piñker 🧷

[![Build Status](https://img.shields.io/github/actions/workflow/status/honeok/pinker/build.yaml?branch=master&logo=github)](https://github.com/honeok/pinker)

[![Go Report](https://goreportcard.com/badge/github.com/honeok/pinker)](https://goreportcard.com/report/github.com/honeok/pinker)

[![GitHub Release](https://img.shields.io/github/release/honeok/pinker.svg?logo=github)](https://github.com/honeok/pinker/releases/latest)

[![GitHub License](https://img.shields.io/github/license/honeok/pinker.svg?logo=github)](https://github.com/honeok/pinker)

Secure your container supply chain by automatically pinning Docker images to immutable SHA256 digests.

> [!TIP]

> Tags are mutable. Digests are forever.



## Why Pinker?

Mutable tags like `postgres:14` or `node:latest` can change at any time. Pinker resolves these tags to their exact SHA256 digest, ensuring your builds are:

- **Reproducible**: Everyone builds the exact same image, every time.

- **Secure**: Protects against tag hijacking or unexpected upstream changes.

## Features

- Zero-Config Authentication Seamlessly reuses your local Docker credentials. If `docker login registry.example.com` works in your terminal, `pinker` works automatically. No need to manage extra secrets.

- Multi-Registry Support Built on top of standard OCI libraries with native support for **AWS ECR**, **Google Artifact Registry**, **Azure ACR**, **Harbor**, and any OCI-compliant private registry.

- **Immutable by Design** Converts uncertain tags (e.g., `latest`) into deterministic SHA256 digests, locking your infrastructure to a specific state.

- **Broad Compatibility** Works out-of-the-box with `Dockerfile` and `docker-compose.yml` (supports `.yaml`, `compose.yml`, and other standard naming conventions).

## Install

Binaries (Recommended)

Download the pre-compiled binaries for your platform from the [Releases page][1].

Go Install

If you have Go installed, you can build and install the latest version from source:

```shell

go install github.com/honeok/pinker@latest

```

## Usage

```shell

# Pin everything in the current directory (recursive)

$ pinker

# Pin a specific directory

$ pinker ./deploy

```

## Acknowledgements

This project is heavily inspired by [pinata][2] by [caarlos0][3]. The code structure, design philosophy, and CLI experience are directly adapted from his work to bring the same security and reproducibility standards to the Docker ecosystem.

[1]: https://github.com/honeok/pinker/releases

[2]: https://github.com/caarlos0/pinata

[3]: https://github.com/caarlos0