Totally get it… practically if you don’t want to have to deal with constantly updating images you have to have some degree of trust in whomever you get them from… that said, we try to be as transparent as possible with a cryptographically verifiable SBOM for every build of every image, signing every image, providing detailed compliance test results for FIPS, STIG, CIS (see the compliance tab on each image listing)

Your feedback about Dockerfiles is good though and probably something we can easily add to image listings. I opened an issue for us to add.

Note that we also make our package manager freely available in Community Edition as well, which can make the Dockerfile availability more useful.