Unpinned version for base image
ID |
unpinned_version_base_image |
Severity |
high |
Vendor |
Docker |
Resource |
Base image |
Tags |
reachable |
Description
it is recommended to pin the version for the base image in Dockerfiles.
There are multiple potential issues that may be caused when using the latest tag. Since latest is the default tag when a tag is not specified, it does not automatically refer to the real latest version of the image. This can lead to the use of outdated images, and in the case of production deployments, using a dynamic version can cause unexpected behavior and difficulty in determining which version is being currently used.
It is best practice to be specific as possible about what is running to make operations predictable, repeatable and reliable.
See "What’s Wrong With The Docker :latest Tag?" for a full description of the :latest tag issues.
Examples
FROM alpine (1)
# ...| 1 | The tag defaults to latest, which is unpinned. It is difficult to know the version of the base image. |
Mitigation / Fix
Use @digest or :tag with the appropriate version.
Popular images use a semantic versioning scheme, and publish images tagged in a way that allow to fetch mayor, mayor.minor, or mayor.minor.patch versions. Using mayor or mayor.minor is a partial pin, but it is allowed by the detector.
# Pinned to the given image
# (digest is not for humans!)
FROM alpine@sha256:bc41182d...
# or a date-oriented tag
FROM alpine:20220715
# or
FROM alpine:3.16.2
# or
FROM alpine:3.16
# or even
FROM alpine:3