# DOCKER-BP-015: Missing Image Version

> **Severity:** HIGH | **CWE:** CWE-1188

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-015
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-015 --project .`

## Description

Detects FROM instructions using 'latest' tag or no tag at all.
Using latest or untagged images creates non-reproducible builds and
potential security/stability issues.

## Vulnerable Code

```python
FROM ubuntu          # No tag = latest
FROM nginx:latest    # Explicit latest
```

## Secure Code

```python
FROM ubuntu:22.04
FROM nginx:1.24.0-alpine
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import any_of


@dockerfile_rule(
    id="DOCKER-BP-015",
    name="Missing Image Version",
    severity="HIGH",
    cwe="CWE-1188",
    category="best-practice",
    tags="docker,dockerfile,from,image,tag,version,latest,reproducibility,best-practice,supply-chain,dependency-management",
    message="FROM instruction uses 'latest' tag or no tag. Specify explicit versions for reproducible builds."
)
def missing_image_version():
    return any_of(
        instruction(type="FROM", image_tag="latest"),
        instruction(type="FROM", missing_digest=True)
    )
```

## How to Fix

- Pin base images to specific version tags (e.g., python:3.11-slim instead of python:latest)
- Use digest pinning (@sha256:...) for maximum reproducibility
- Document the base image version in a comment for team awareness

## FAQ

**Q: Why should I avoid the :latest tag?**

The :latest tag is mutable and can point to different images over time. Your build may break or introduce vulnerabilities when the upstream image changes without your knowledge.

**Q: What is digest pinning?**

Digest pinning uses the SHA256 hash of a specific image layer (e.g., python:3.11@sha256:abc123...). Unlike tags, digests are immutable and guarantee you always pull the exact same image.

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-015
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis