Since we use public available images from sources like Docker Hub we could not guarantee that someone modifies the image. Worst case an attacker could change the image to put a trojan in our binaries.

So, how to prevent this?

I think that it will be a very good idea to add a checksum verification to Pipelines. This way, we could test and analyze the image. Combined with the checksum we could guarantee that the tested and analyzed image is used for builds.