[POC] Some exploration base image puller and matcher

[jvdm]

Description

A ad-hoc tool to explore the concept and idea behind the plans for base image detection. See README for further details.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Example on how this works:

DOCKER_CONFIG=~/.docker/ go run main.go --cache-dir /tmp/base_image_layers --max-probe 50 --max-tags 50 --base-repo registry.access.redhat.com/ubi8 --base registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417 registry.redhat.io/rhel8/redis-6:1-1754453437 registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417 debian:trixie-backports
2025/08/14 23:24:19 expanding repo: registry.access.redhat.com/ubi8
2025/08/14 23:24:21 [/home/jvmartin/.cache/go-build/bd/bdcc668760908231270080b11301ce34dfe2385bc6ab11a339a25757153fc248-d/main --cache-dir /tmp/base_image_layers --max-probe 50 --max-tags 50 --base-repo registry.access.redhat.com/ubi8 --base registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417 registry.redhat.io/rhel8/redis-6:1-1754453437 registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417 debian:trixie-backports]
🕵️  registry.redhat.io/rhel8/redis-6:1-1754453437
✅ registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417
🕵️  registry.access.redhat.com/ubi8/s2i-core:8.10-1754427417
✅ registry.access.redhat.com/ubi8:8.10-1754402693
🕵️  debian:trixie-backports
❌ no match

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
central-db-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
main-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
operator-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
operator-bundle-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
retag-collector	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
retag-scanner-db-slim	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
retag-scanner-db	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
retag-scanner-slim	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
retag-scanner	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
roxctl-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
scanner-v4-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels
scanner-v4-db-on-push	CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels

[rhacs-bot]

Images are ready for the commit at 52822a6.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.x-510-g52822a61f5.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.08%. Comparing base (a94defe) to head (52822a6).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #16417   +/-   ##
=======================================
  Coverage   49.07%   49.08%           
=======================================
  Files        2640     2640           
  Lines      195603   195603           
=======================================
+ Hits        95999    96002    +3     
+ Misses      92095    92093    -2     
+ Partials     7509     7508    -1     

Flag	Coverage Δ
go-unit-tests	49.08% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR introduces a proof-of-concept (POC) tool for base image detection that infers an image's base by matching the target's layer digest prefix against a set of candidate base images. The tool operates without pulling image layers, instead relying on manifest inspection for efficient analysis.

Key changes:

• Implementation of a registry client for container image inspection
• Base image detection algorithm using layer digest prefix matching
• JSON-based caching system for registry metadata
• CLI tool with support for both explicit base references and repository exploration

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
registry/registry.go	Registry client implementation for image inspection and tag listing
main.go	Main CLI application with base image detection logic and semver-based tag sorting
jsoncache/jsoncache.go	JSON file cache for storing registry inspection results
go.mod	Go module dependencies including container registry libraries
README.md	Documentation explaining the POC concept, usage, and limitations

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[Copilot]

SHA-1 is cryptographically weak and should not be used for security purposes. Consider using SHA-256 or another secure hash function from the crypto/sha256 package.

Suggested change

	h := sha1.New()
	h := sha256.New()

[Copilot]

SHA-1 is cryptographically weak and should not be used. Consider using SHA-256 or another secure hash function from the crypto/sha256 package.

Suggested change

	sum := sha1.Sum([]byte(key))
	sum := sha256.Sum256([]byte(key))