dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned
semgrepAuthor
unknown
Download Count*
License
To ensure reproducible builds, pin Dockerfile FROM commands to a specific hash. You can find the hash by running docker pull $IMAGE and then specify it with $IMAGE:$VERSION@sha256:<hash goes here>
Run Locally
Run in CI
Defintion
rules:
- id: dockerfile-source-not-pinned
patterns:
- pattern-either:
- patterns:
- pattern: FROM $IMAGE:$VERSION@$HASH
- metavariable-regex:
metavariable: $HASH
regex: (?!sha256:)
- patterns:
- pattern: FROM $IMAGE
- pattern: FROM $IMAGE:$VERSION
- pattern-not-inside: FROM $IMAGE:$VERSION@$HASH
message: To ensure reproducible builds, pin Dockerfile `FROM` commands to a
specific hash. You can find the hash by running `docker pull $IMAGE` and
then specify it with `$IMAGE:$VERSION@sha256:<hash goes here>`
languages:
- dockerfile
severity: INFO
metadata:
references:
- https://stackoverflow.com/a/33511811/4965
category: best-practice
technology:
- docker
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
dockerfile-source-not-pinned.dockerfile
# ruleid: dockerfile-source-not-pinned
FROM ocaml/opam2:debian-stable
# ok: dockerfile-source-not-pinned
# The docker base image below in the FROM currently uses OCaml 4.12.0
# ruleid: dockerfile-source-not-pinned
FROM returntocorp/ocaml:alpine-2021-07-15 as build-semgrep-core
# ruleid: dockerfile-source-not-pinned
FROM python:3.10.1-alpine3.15
# ruleid: dockerfile-source-not-pinned
FROM python:3.10.1-alpine3.15@v1
# ruleid: dockerfile-source-not-pinned
FROM python:3.10.1-alpine3.15@sha256
# ok: dockerfile-source-not-pinned
FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448
Short Link: https://sg.run/RgD8