Blubber has built-in support for a policy file that can restrict any of the fields used in a Blubberfile. The base policyfile for CI ought to (as discussed during all-hand pipeline meeting) restrict the base-image for production to only those images from the Wikimedia Docker registry.
By golang image meaning the one from Dockerhub? I am not particularly thrilled with that. e.g. Look at https://nvd.nist.gov/vuln/detail/CVE-2019-5736 for how a malicious image can lead to the compromise of the docker container host, and in our infrastructure the entirety of CI, which is in production networks (that's a discussion we need to open at some point). This is not the first kind of attack that exists regarding container escape and compromise of the host, nor will it be the last IMHO.
We should rely only on container images we know we can trust and the only currently feasible way to do that is to use our own registry. So my take would be to extend the policy to all variants.
@thcipriani AFAIK the policy applies to every image not only for production ones, i think it should be fairly easy (look into ) to build a base image for go like the ones we publish for nodejs, we will need probably to use golang-go package from backports probably since golang-go on stretch ships 1.7 and reading quickly the code i saw a couple of things that requires a newer version.