As a security measure to ensure that viruses and compromised images cannot be downloaded from DockerHub, I thought it would be a good idea if contributors only uploaded the DockerFile. DockerHub could then be responsible for running the DockerFile to create the image.

In this way, we would always have the DockerFile and we would know that the image was created using that DockerFile and therefore a security audit of the images would be easy and secure.

What do you think?

Do you know if images get built from the attached git repo by DockerHub or do you upload the image in such a way that it could be different than what is in the repo?