Blog/Best Practices

Eliminating ambiguity: The case for explicit Docker image paths

Jan 2 2026
5 min read
Written by
Colin Moynes
Colin Moynes
Senior Support Engineer - Cloudsmith

The danger of implicit naming in container security

At Cloudsmith, we believe in building a secure, transparent, and reliable software supply chain. When teams migrate their container workflow to a private, unified registry like Cloudsmith, one subtle habit often carries over from the days of exclusively using Docker Hub: implicit image path naming.

Relying on implicit names is dangerous because it introduces ambiguity, undermines security, and can lead to unexpected build failures.

This article explores what implicit naming is, why it's a risk, and why you should adopt a policy of using fully-qualified domain names (FQDNs) for every single container image reference.

Implicit vs. Explicit: build with confidence

Whether you are building a new image or deploying an existing one, you need absolute confidence that you are requesting the correct source from the correct registry, repository, and base image, with the right dependencies, and without any unverified or malicious components. Trust in your pipeline means knowing every artifact comes from a verified source, every dependency is accounted for, and nothing has been silently altered along the way. Without that assurance, you’re not just building software – you’re building in potential vulnerabilities.

When you interact with a Docker image using the standard Docker CLI, the client makes an assumption if you omit the registry namespace. This assumption is known as an implicit path.

The implicit default

When you run a command like:

$ docker pull ubuntu:latest

The Docker client automatically prefixes the image name with the default registry and library namespace, which is docker.io/library/ (Docker Hub).

  • ubuntu:latest implicitly translates to docker.io/library/ubuntu:latest.

The explicit standard (The Cloudsmith way)

The explicit approach requires you to specify the Fully-Qualified Domain Name (FQDN) of the registry as a prefix. This removes all ambiguity.

When you use Cloudsmith as your private registry, your images must be pulled or pushed using a path that looks like this:

$ docker pull docker.cloudsmith.io/my-org/my-repo/my-app:v1.0

Kubernetes 1.34 and the end of ambiguity

Starting with Kubernetes 1.34, distributions powered by the CRI-O runtime (including OpenShift and OKE) enforce precise image name resolution. The rule is simple: Kubernetes no longer pulls container images unless you explicitly define the source.

With Kubernetes 1.34, CRI-O removes the implicit path assumption. To ensure deterministic builds and deployments, every image reference must now include its fully qualified registry path. Without it, the pull request is rejected, and the deployment fails.

Existing:

image: python:latest

Changed:

image: docker.io/library/nginx:latest

This shift validates a long-argued point by security experts: ambiguity is a vulnerability.

The critical risks of relying on implicit paths

Why is this subtle difference a massive liability in a software supply chain?

Risk 1: Supply chain confusion and hijacking

In complex build scripts, Dockerfiles, or Kubernetes manifests, it’s easy to mix explicit and implicit references.

Scenario: You push your application image to Cloudsmith using the FQDN (docker.cloudsmith.io/.../my-app:v1.0). However, an internal Dockerfile pulls a base image using an implicit path (FROM base-image:latest).

  • If you intend base-image:latest to come from your private Cloudsmith repo, but the FQDN is missing, the build system will instantly default to Docker Hub and try to pull a public image.
  • This creates a vulnerability if a bad actor pushes a malicious image with the same name (base-image:latest) to Docker Hub, hijacking your dependency stream (a technique known as Dependency Confusion or Registry Confusion).

Risk 2: Intermittent build failures

If the implicit image exists on Docker Hub and in your private Cloudsmith repository, the behavior of which image your build pulls can become non-deterministic, often depending on local client configuration (like docker-credential-helpers or login status).

In one environment, the local client might be configured to prioritize Cloudsmith, pulling your private image. In another CI/CD environment, the client might default to Docker Hub, causing:

  1. Authentication Errors: If the image is private on Docker Hub and the environment isn't logged in.
  2. Image Mismatch: Pulling the wrong, possibly outdated, public image.

Risk 3: Vendor Lock-in (or Lock-out)

Using implicit paths throughout your build scripts fundamentally locks you into the Docker Hub default. If the Docker client changes its implicit behavior or if network rules block access to Docker Hub, your builds will instantly break.

A fully-qualified path, like one pointing to your Cloudsmith repository, is future-proof and completely under your control.

The best practice: adopting the FQDN standard

To maintain the highest level of security, clarity, and reliability in your supply chain, we strongly recommend adopting a strict policy:

Every single image reference, whether it’s a base image in a Dockerfile, a deployment manifest in Kubernetes, or a call in a CI/CD script, must include the registry FQDN.

Image SourceImplicit Path (Avoid)Explicit Path (Best Practice)
Public Docker Hubnginx:latestdocker.io/library/nginx:latest
Private Cloudsmithmy-app:v1.0registry.cloudsmith.io/org/repo/my-app:v1.0

Cloudsmith tip: streamline your base images

To make this explicit policy easier to enforce for common base images (like alpine, ubuntu, or node), we recommend mirroring (upstream caching) those images into a dedicated, private Cloudsmith repository.

This allows you to control the exact version, scan it for vulnerabilities, and use a consistent, explicit path for all base images:

# Instead of pulling implicitly from Docker Hub:

FROM alpine:3.18

# Pull explicitly from your private, mirrored, secured Cloudsmith path:

FROM docker.cloudsmith.io/my-org/base-images/library/alpine:3.18

By making all paths explicit, you transform your dependency graph from a set of ambiguous references into a predictable, auditable, and secure supply chain.

Conclusion

Implicit path naming is a relic of simpler times. In today's landscape of container security and supply chain complexity, ambiguity is a vulnerability. By adopting the standard of always using fully-qualified domain names (FQDNs), you make your builds robust, auditable, and resilient to dependency confusion attacks.

Ready to secure your container supply chain and enforce clarity? Sign up for Cloudsmith today and start managing every package with the confidence of an explicit, reliable path.


Read more by
Colin Moynes
Colin Moynes
Senior Support Engineer - Cloudsmith

More articles

01/02
Best Practices
8 min read

Using vulnerability scoring systems to prioritize risks in your environment

Instead of wasting time clicking buttons in a UI, Cloudsmith gives dev teams the freedom to write their security rules as code for more power and flexibility. This approach, called policy-as-code, requires them to define precise limits/thresholds for what they consider a risky software artifact. When you're building policy-as-code, you can sometimes be stuck deciding exactly what thresholds to set for risky software artifacts. With a tsunami of vulnerabilities being thrown your way daily, it's impossible (and inefficient) to treat them all as emergencies. This blog post will help you understand the various scoring systems you can use to build smarter, context-aware security policies…
Best Practices
8 min read

Pull back the hood on the data and tech that informs EPM

At Cloudsmith, we believe that visibility, control, and automation are essential to securing your software supply chain. That’s why we built Enterprise Policy Management (EPM) as a programmable enforc…
Keep up to date with our monthly newsletter

By submitting this form, you agree to our privacy policy