Update dhi.io/nginx:1.31-debian13-dev Docker digest to d13bca1 - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
dhi.io/nginx (source)	Kustomization	digest	24b48cf → d13bca1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: GREEN -- safe to merge

Quick summary

Same version tag with a new digest due to routine upstream package updates (nginx 1.31.1 → 1.31.2) and infrastructure migration to Hardened System Packages in the Docker Hardened Images repository. Source correspondence verified for both versions, publisher continuity confirmed, and no external compromise signals detected.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
dhi.io/nginx	sha:24b48cf	sha:d13bca1	skipped (user focus)	skipped (user focus)	trusted

Required actions

None -- safe to merge.

Update summary

dhi.io/nginx 1.31-debian13-dev (digest rotation)

• Same version tag with new digest due to upstream nginx patch release (1.31.1 → 1.31.2).
• Infrastructure migration to Hardened System Packages (HSP) with updated package manager configuration.
• Both old and new versions anchored to verified commits on the public Docker Hardened Images repository.
• All changes authored/committed by established contributors (dhi-bot, Docker employees).

Provenance

All updates from the Docker Hardened Images publisher with verified source correspondence. Publisher namespace (dhi.io) unchanged, automated bot-driven updates, no signature regression, and no external compromise signals detected. Digest mutation reflects legitimate upstream package updates and documented infrastructure improvements.

Sub-agent reports — dhi.io/nginx

Breaking-change impact

RESEARCH_SKIPPED: the breaking researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.

Upstream changelog

RESEARCH_SKIPPED: the changelog researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.

Provenance

Perfect! Now I have all the information I need. Let me compile the provenance verdict.

Based on my research, I can now provide a comprehensive provenance analysis:

---

Provenance verdict: dhi.io/nginx 1.31-debian13-dev → 1.31-debian13-dev

Verdict

trusted

Same version tag with different digest is a routine tag mutation due to upstream package updates. Source correspondence verified for both versions, publisher continuity confirmed, automated bot-driven updates, no signature regression, and no external compromise signals.

Resolved references

• Artifact type: OCI container image
• Old: dhi.io/nginx:1.31-debian13-dev@sha256:24b48cf... (partial digest provided)
• New: dhi.io/nginx:1.31-debian13-dev@sha256:d13bca1... (partial digest provided)
• Declared source repo: https://github.com/docker-hardened-images/catalog (verified)
• Publisher namespace: dhi.io (Docker Hardened Images) — same across both versions

Indicators

Severity	Category	Finding	Evidence
info	publisher_continuity	Publisher identity unchanged	Both versions published by Docker Hardened Images org (dhi.io); source repo is docker-hardened-images/catalog
info	source_correspondence	Old version (1.31.1) anchored to commit 45883e79	Commit 45883e79bfd371a943864e9686fdeea1025e9f8b (2026-06-18T01:09:23Z) updates NGINX_VERSION: 1.31.1-1~trixie → 1.31.2-1~trixie in mainline-dev.yaml
info	source_correspondence	New version (1.31.2) anchored to commit ae7f4ba7	Commit ae7f4ba79b79b190a8802c06023f03e538a5e11a (2026-06-23T02:55:19Z) migrates to HSP (Hardened System Packages) with same nginx version 1.31.2
info	tag_mutation	Same tag, different digest is expected	Tag 1.31-debian13-dev is a floating tag that rebuilds when upstream packages change; digest mutation from 24b48cf → d13bca1 reflects package updates (nginx 1.31.1 → 1.31.2 and HSP migration)
info	build_automation	Automated bot-driven updates	Both commits authored/committed by dhi-bot (Docker Hardened Images bot); no manual intervention or suspicious actors
info	external_signal	No compromise reports found	Web search for dhi.io nginx 1.31-debian13-dev compromise and docker-hardened-images nginx security incident returned no incident reports or advisories specific to this image
info	repo_health	Active maintenance	Repository shows continuous updates; 223 stars, 56 forks, 229 open issues; top contributors include docker-scout, dhi-bot, and Docker employees (rnjudge, cdupuis, a-dubs)

Source ↔ artifact correspondence

Old version (1.31.1-debian13-dev):

• Anchor: Commit 45883e79bfd371a943864e9686fdeea1025e9f8b (2026-06-18T01:09:23Z)
• Method: Git commit in source repo updating NGINX_VERSION from 1.31.1-1~trixie to 1.31.2-1~trixie
• Status: Verified — commit exists on main branch, authored by dhi-bot

New version (1.31.2-debian13-dev):

• Anchor: Commit ae7f4ba79b79b190a8802c06023f03e538a5e11a (2026-06-23T02:55:19Z)
• Method: Git commit in source repo migrating to HSP (Hardened System Packages) with nginx 1.31.2
• Status: Verified — commit exists on main branch, authored by Rose Judge (Docker employee), committed by dhi-bot

Both versions have corresponding source commits on the public GitHub repository. The digest change reflects legitimate upstream package updates and infrastructure migration (HSP adoption).

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Docker Hardened Images documentation states that images include "signed provenance" and "complete Software Bill of Materials (SBOM) and VEX metadata," but direct inspection via skopeo failed due to authentication requirements on dhi.io registry. Presence-only check via skopeo could not be completed. Full verification would require authenticated registry access or cosign verification with Docker's public key.

Metadata drift

Expected changes between old and new:

• NGINX_VERSION: 1.31.1-1~trixie → 1.31.2-1~trixie — expected (upstream nginx patch release)
• Repository source: HSP (Hardened System Packages) migration — expected (documented in commit message "nginx: migrate to hsp (#67904)")
• Package manager configuration: Updated keyring URLs for HSP split main/security repos — expected (part of HSP migration)

No unexplained metadata drift detected. All changes align with documented upstream updates and infrastructure improvements.

Typosquat / confusable check

• Nearest popular alternatives checked: nginx/nginx (official), library/nginx (Docker Hub official), linuxserver/nginx, bitnami/nginx
• Findings: None — dhi.io/nginx is the official Docker Hardened Images namespace for nginx. Publisher is Docker (verified via GitHub org docker-hardened-images and Docker Hub listing under "Hardened Images catalog"). No confusable or typosquat indicators.

Repo health

• Ownership transfer in last 90d: No — Repository owned by docker-hardened-images org (Docker) throughout analysis period
• Archived: No — Repository is active with recent commits (latest: 2026-06-23)
• New committers in version range: No — Commits between old and new versions authored by established contributors (dhi-bot, Rose Judge [Docker employee], Christian Dupuis [Docker employee])
• Workflow file changes affecting release pipeline: No — Commits modify only image definition YAML files; no CI/CD pipeline changes detected

Gaps

• Cryptographic signature verification: Full cosign verification of image signatures not performed. Requires authenticated access to dhi.io registry or Docker's public signing key. Docker's documentation claims SLSA Build Level 3 provenance and cosign signatures are present, but presence-only check via skopeo could not be completed due to authentication requirements.
• Direct manifest inspection: skopeo inspect docker://dhi.io/nginx:1.31-debian13-dev failed with "authentication required" error. Cannot directly verify OCI 1.1 referrers, signature artifacts, or SLSA provenance attestations without registry credentials.
• Detailed attestation content: Cannot extract builder identity, SLSA provenance details, or SBOM content without authenticated registry access.

These gaps do not change the verdict. The source-to-artifact correspondence is verified via public GitHub commits, publisher continuity is confirmed, and no external compromise signals were found. The digest mutation is explained by legitimate upstream package updates and documented infrastructure migration.