Base Image Uses :latest Tag

MEDIUM

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfilefromimagetagversionlatestreproducibilitybest-practicesupply-chainimmutability
CWE References
CWE-1188

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-001 --project .
1
2
3
4
5
6
7
8
9
10
11
12
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

About This Rule

Understanding the vulnerability and how it is detected

This rule detects FROM instructions using the :latest tag (or no tag, which defaults to :latest). Using unversioned or latest-tagged base images makes builds non-reproducible and can introduce unexpected breaking changes or security vulnerabilities when the upstream image is updated.

How to Fix

Recommended remediation steps

  • 1Pin base images to specific version tags (e.g., python:3.11-slim instead of python:latest)
  • 2Use digest pinning (@sha256:...) for maximum reproducibility
  • 3Document the base image version in a comment for team awareness

References

External resources and documentation

Docker Best Practices: Image Tagging12-Factor App: DependenciesNIST SP 800-190: Container Image IntegrityCIS Docker Benchmark: Section 4.1

Similar Rules

Explore related security rules for Docker

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

MEDIUM

Avoid apt-get upgrade

Avoid apt-get upgrade in Dockerfiles. Use specific base image versions instead.

Frequently Asked Questions

Common questions about Base Image Uses :latest Tag

The :latest tag is mutable and can point to different images over time. Your build may break or introduce vulnerabilities when the upstream image changes without your knowledge.
Digest pinning uses the SHA256 hash of a specific image layer (e.g., python:3.11@sha256:abc123...). Unlike tags, digests are immutable and guarantee you always pull the exact same image.

New feature

Get these findings posted directly on your GitHub pull requests

The Base Image Uses :latest Tag rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →