Rule Information
Tags
dockerdockerfilefromimagetagversionlatestreproducibilitybest-practicesupply-chaindependency-management
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-BP-015 --project .1
2
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Rule
Understanding the vulnerability and how it is detected
Detects FROM instructions using 'latest' tag or no tag at all. Using latest or untagged images creates non-reproducible builds and potential security/stability issues.
How to Fix
Recommended remediation steps
- 1Pin base images to specific version tags (e.g., python:3.11-slim instead of python:latest)
- 2Use digest pinning (@sha256:...) for maximum reproducibility
- 3Document the base image version in a comment for team awareness
Similar Rules
Explore related security rules for Docker
MEDIUM
Base Image Uses :latest Tag
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
INFO
Deprecated MAINTAINER Instruction
MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.
LOW
apt-get Without --no-install-recommends
apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.
Frequently Asked Questions
Common questions about Missing Image Version
The :latest tag is mutable and can point to different images over time. Your build may break or introduce vulnerabilities when the upstream image changes without your knowledge.
Digest pinning uses the SHA256 hash of a specific image layer (e.g., python:3.11@sha256:abc123...). Unlike tags, digests are immutable and guarantee you always pull the exact same image.
New feature
Get these findings posted directly on your GitHub pull requests
The Missing Image Version rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.