✦ For everyone, free.

Practical knowledge for real and everyday life

Home

3.3.3.2 Base Image Updates

A focused guide to Base Image Updates, connecting core concepts with practical Docker and container operations.

Base image updates are the new releases of a base image published over time — typically containing security patches, bug fixes, or new package versions — which downstream images need to deliberately pull in by rebuilding, since an already-built image never updates itself.

Why Already-Built Images Do Not Update Automatically

An image is immutable once built; if its base image receives a security patch afterward, the already-built downstream image does not receive that patch automatically — it continues to reflect whatever the base image contained at the moment it was built.

docker build -t myapp:1.0 .

If python:3.12-slim is patched the following week, myapp:1.0 still contains the unpatched version, since rebuilding is required to pick up the update.

Rebuilding to Pick Up Base Image Updates

Regularly rebuilding an image, even without any application code changes, is necessary to incorporate base image security updates, which is why many teams schedule periodic rebuilds independent of application release cycles.

docker build --pull -t myapp:1.0 .

The --pull flag ensures the build checks for and retrieves the latest version of the base image matching the specified tag, rather than relying on whatever copy happens to be cached locally.

Tracking Which Base Image Version Is in Use

Because base images are commonly referenced by a tag that can correspond to different actual content over time, recording the specific digest of the base image used in a given build provides traceability about exactly what base content an image was built from.

docker inspect python:3.12-slim --format '{{.Id}}'
Automating Base Image Update Detection

Some teams use automated tooling that monitors for new base image releases and automatically triggers a rebuild and redeployment pipeline when a relevant security update becomes available, reducing the lag between an upstream patch and its adoption.

docker scan myapp:1.0

Vulnerability scanning an already-built image can reveal when its base image has fallen behind on security patches, prompting a rebuild.

Why Base Image Updates Matter

Because base images are a shared dependency underlying potentially many application images, staying current with their updates is one of the more impactful, low-effort ways to maintain a strong security posture across an entire fleet of containerized applications.

Related content