Dockerfile依赖拉取安全治理（pin digest-apt来源-校验）最佳实践

实现示例type Base = { image: string; digest?: string } type Apt = { source: string; packages: string[] } const allowRegistries = new Set<string>(['docker.io','ghcr.io','registry.example.com']) function validImage(i: Base): boolean { const m = /^(\w[\w.-]+)\/(\w[\w.-]+):([\w.-]+)$/.exec(i.image); return !!m } function hasDigest(i: Base): boolean { return !!i.digest && /^[A-Fa-f0-9]{64}$/.test(i.digest) } function validApt(a: Apt): boolean { return /^https:\/\/.+/.test(a.source) } function evaluate(base: Base, apt: Apt): { ok: boolean; errors: string[] } { const errors: string[] = []; if (!validImage(base)) errors.push('image'); if (!hasDigest(base)) errors.push('digest'); try { const u = new URL(apt.source); if (!allowRegistries.has(u.host)) errors.push('apt-host') } catch { errors.push('apt-source') } if (!validApt(apt)) errors.push('apt-url'); return { ok: errors.length === 0, errors } } 审计与CI门禁审计基础镜像与 `digest` 固定、apt 来源域；不合规阻断并回退。构建时仅允许受控来源与校验通过的包。