Renovate failed to look up the following dependencies: image@sha256

[aamarques]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Gitlab - Renovate CLI v41.143.1 (CE 11.5.0-full)

Please tell us more about your question or problem

HI,
I have the following warning message:

Renovate failed to look up the following dependencies: `Could not determine new digest for update (docker package docker-registry.mycompany.com/builder-image)`.

Files affected: `.gitlab-ci.yml`

I found it's related to how Renovate handles image TAGs.
In our case, we don't use tags; we use the SHA256 value, for example: image: docker-registry.mycompany.com/builder-image@sha256:67c7ad3ec0252ca55b989e0280c1a254b32de4441becca2bb2b228bf1027ec1a.

As far as I could tell, renovate can't handle it in a normal situation because the expected format is registry/image:tag:sha, not registry/image@sha:.

Am I right? There's a "workaround or config for this"

Thanks in advance,

Antonio

Logs (if relevant)

Logs

20251027_160022_e8f7395f-e54c-4258-b490-1d978725eeab.log":{
   "name":"renovate",
   "hostname":"96d70518824e",
   "pid":580,
   "level":40,
   "logContext":"e8f7395f-e54c-4258-b490-1d978725eeab",
   "repository":"dev/my-custom-image",
   "branch":"renovate/my-docker-registry.com-my-nodejs-25.x",
   "warnings":[
      "**Could not determine new digest for update (docker package my-docker-registry.com/builder-my-custom-image)**"
   ],
   "files":[
      "**.gitlab-ci-image.yml**"
   ],
   "msg":"Package lookup failures",
   "time":"2025-10-27T16:00:38.373Z",
   "v":0
}"
20251027_160022_e8f7395f-e54c-4258-b490-1d978725eeab.log":{
   "name":"renovate",
   "hostname":"96d70518824e",
   "pid":580,
   "level":40,
   "logContext":"e8f7395f-e54c-4258-b490-1d978725eeab",
   "repository":"dev/my-custom-image",
   "warnings":[
      "**Could not determine new digest for update (docker package my-docker-registry.com/builder-my-custom-image)**"
   ],
   "files":[
      "**.gitlab-ci-image.yml**"
   ],
   "msg":"Package lookup failures",
   "time":"2025-10-27T16:00:38.407Z",
   "v":0
}

[jamietanna]

In our case, we don't use tags; we use the SHA256 value,

In this case, Renovate won't be able to update these digests, as it won't know where to look.

Without a tag to follow, Renovate can't determine what the correct new digest should be.

Given an image may have different tags, latest, stable, etc - taking "what's the latest pushed digest to this image, regardless of tag" is unlikely to be a good option.

As a workaround, I'd recommend tagging the images - likely with latest - so you can get updates, and then it also provides a hint to the humans that this is where it's coming from, too.

As an interesting aside, note that the tag is ignored when i.e. Docker interprets:

FROM ghcr.io/renovatebot/base-image:10.67.5@sha256:d67e849707f38e11c8674a59d3fffef1ea6977757f3a65d9d1a3a198bdd160cf AS slim-base

In this case, Docker will pull ghcr.io/renovatebot/base-image@sha256:d67e849707f38e11c8674a59d3fffef1ea6977757f3a65d9d1a3a198bdd160cf.

But it's a good hint to bots + humans that this is what it's intended to be (but can lead to possible confusion or attacks, if someone points it to a malicious digest.

We could look at improving the debug logs to warn of this case, and recommend folks pin their digest to a tag?

[aamarques]

Thank yo @jamietanna
Here in our company, for these kinds of images (used to build and run tests most of the time), we don't practice tagging images.
Perhaps, we should do it.

If there's a way to ignore this message, it would be great, but maybe it's not worth .

We could look at improving the debug logs to warn of this case, and recommend folks pin their digest to a tag?

That will be nice.

Thanks again.

[jamietanna]

if there's a way to ignore this message

I've not fully tested this, but it should be possible to do i.e.

{
	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
	"packageRules": [
		{
			"description": "...",
			"matchPackageNames": [
				"docker-registry.mycompany.com/builder-image"
			],
			"enabled": false
		}
	]
}

That'll make sure that Renovate doesn't attempt to manage the dependency, and makes it clear to humans as to why it's not updating, too!