# DOCKER-AUD-001: Dockerfile Source Not Pinned

> **Severity:** LOW | **CWE:** CWE-1188

- **Language:** Docker
- **Category:** Audit
- **URL:** https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-001
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-AUD-001 --project .`

## Description

Detects FROM instructions without digest pinning (@sha256:...).
Tags are mutable and can be updated to point to different images, while
digests are immutable references to specific image layers.

## Vulnerable Code

```python
# Bad: Tag can be updated to point to different image
FROM nginx:1.24.0
FROM ubuntu:latest  # Especially bad - very mutable

# These can all change over time
FROM node:18
FROM python:3.11-slim
```

## Secure Code

```python
# Good: Digest pinning ensures immutable reference
FROM nginx:1.24.0@sha256:a4f34e6fb432af40bc594a0f1e5178598f6ca0f1ea6b3c6e7c5e5e8c3f9d6e1a

# Can combine readable tag with immutable digest
FROM ubuntu:22.04@sha256:b6b83d3c331794420340093eb706a6f152d9c1fa51b262d9bf34594887c2c7ac

# For multi-stage builds
FROM node:18@sha256:abc123... AS builder
FROM nginx:alpine@sha256:def456... AS runtime
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-AUD-001",
    name="Dockerfile Source Not Pinned",
    severity="LOW",
    cwe="CWE-1188",
    category="audit",
    tags="docker,dockerfile,from,digest,sha256,immutability,supply-chain,reproducibility,audit,security",
    message="FROM instruction without digest pinning. Consider using @sha256:... for immutable builds."
)
def dockerfile_source_not_pinned():
    return instruction(type="FROM", missing_digest=True)
```

## How to Fix

- Review your Dockerfile to address the dockerfile source not pinned issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag dockerfile source not pinned?**

FROM instruction without digest pinning. Consider using @sha256:... for immutable builds.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Content Trust](https://docs.docker.com/engine/security/trust/)
- [Dockerfile Best Practice: Pin image digests for reproducibility](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#from)
- [Supply Chain Security Best Practices](https://docs.docker.com/build/building/best-practices/)

---

Source: https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-001
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis