> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/developers/adding-oci-tags-to-docker-images.md). # Adding OCI Tags to Docker Images This page explains Arnica's automated workflow that adds [Open Container Initiative](https://opencontainers.org/) (OCI) Tags to Docker images. The workflow is designed to map container images to their corresponding source code in your Git repository, ensuring seamless traceability, improved security, and consistent image annotation across your codebase. ## Why it matters 1. **Traceability**\ By linking Docker images directly to their source code, your teams can easily trace and audit where the source code is deployed. 2. **Streamlined Security Management**\ Reducing security noise by deduplicating vulnerability findings helps prioritize real risks. This focused approach leads to better-informed security decisions and faster remediation of issues, while also reducing unneccesary works for developers. {% hint style="info" %} Organizations are shifting to a shared "golden image" model for enhanced consistency and security. If your organization adopts this approach, OCI tagging can help identify where vulnerabilities occur, enabling Arnica to direct findings to the team responsible for the "golden image", when applicable. {% endhint %} ## Understanding the code changes Arnica automatically maps between Dockerfiles in Git repositories and Docker images by utilizing statistical anlysis. However, certain Dockerfiles need more context to successfully map them to the Docker images, and this is where you see Arnica's commit added to the HEAD of the source branch in every Pull Request in the repository until it is merged at least once to your important branch (default branch in most cases). Below are the changes in the commit: 1. A block scoped with a start and end location. 2. `LABEL org.opencontainers.image.source` - the link to the Git repository. 3. `LABEL org.opencontainers.image.path`- the link to the Dockerfile in the Git repository. Reason is that multiple Dockerfiles can exist in the same Git repository. 4. Optional: a custom message provided by the Arnica operators with further instructions. ## FAQ **Q: Why this repository and not others?**\ A: Your organization's Arnica operators opted this Git repository into this feature (it is off by default). **Q: Will this break my pipeline?**\ A: No. LABELS are safe to add, and even encouraged by the OCI specification. For more information see [OCI Annotations](https://github.com/opencontainers/image-spec/blob/main/annotations.md). **Q: Will this break my Docker cache?**\ A: We are adding these labels last to avoid affecting cached layers. **Q: I didn't touch any Dockerfiles, why are you adding these labels?**\ A: Any change to any file may trigger an image build and deployment once this Pull Request is merged. To ensure all images are properly linked to the correct source code, Arnica will add these labels to all Dockerfiles that don't have them yet. **Q: I'm a frontend developer who is simply changing an icon, why am I seeing this?**\ A: You are simply the lucky first to open a Pull Request after the policy was enabled for this repository! **Q: We already have our images annotated during the build process in our CI/CD pipeline, why here?**\ A: At this point, Arnica does not automatically identify these labels added during image build. Note that there is no harm in adding these labels via the Dockerfile; however, if you have a concern, see below for how to opt out. **Q: I don't like this. How do I stop this?**\ A: There are three ways to opt out: 1. Contact your Arnica operators and request removal of your Git repository from the policy. 2. Add a comment with `#arnica-ignore` to the file to opt it out going forward. (Note that your orgainzation may have a customized ignore pattern, check with your security team for details) **Q: Ok, I read your FAQ, read your docs, talked to my Arnica operators, but I still have a question.**\ A: We are here to help! In urgent matters or for any questions, please contact ****. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.arnica.io/arnica-documentation/developers/adding-oci-tags-to-docker-images.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.