Dockerfile Source Not Pinned

LOW

FROM instruction without digest pinning. Consider using @sha256:... for immutable builds.

Rule Information

Language

Docker

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-AUD-001 --project .

rule.py

About This Rule

Understanding the vulnerability and how it is detected

Detects FROM instructions without digest pinning (@sha256:...). Tags are mutable and can be updated to point to different images, while digests are immutable references to specific image layers.

How to Fix

Recommended remediation steps

1Review your Dockerfile to address the dockerfile source not pinned issue
2Follow Docker official best practices for image building
3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

Docker Content Trust Dockerfile Best Practice: Pin image digests for reproducibility Supply Chain Security Best Practices

Similar Rules

Explore related security rules for Docker

MEDIUM

Privileged Port Exposed

Exposing port below 1024 typically requires root privileges to bind. Consider using non-privileged ports (>1024) with port mapping or granting CAP_NET_BIND_SERVICE capability.

Frequently Asked Questions

Common questions about Dockerfile Source Not Pinned

FROM instruction without digest pinning. Consider using @sha256:... for immutable builds.

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The Dockerfile Source Not Pinned rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works

Back to Audit All Languages →