dockerfile.best-practice.avoid-latest-version.avoid-latest-version

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Images should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid-latest-version
    message: Images should be tagged with an explicit version to produce
      deterministic container images. The 'latest' tag may change the base
      container without warning.
    severity: WARNING
    languages:
      - dockerfile
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3007
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3007
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern: FROM $FROM:latest

Examples

avoid-latest-version.dockerfile

# ruleid: avoid-latest-version
FROM debian:latest

# ruleid: avoid-latest-version
FROM myregistry.local/testing/test-image:latest

# ruleid: avoid-latest-version
FROM debian:latest as blah

# ruleid: avoid-latest-version
FROM myregistry.local/testing/test-image:latest as blah

# ok: avoid-latest-version
FROM debian:jessie

# ok: avoid-latest-version
FROM myregistry.local/testing/test-image:42ee222

# ok: avoid-latest-version
FROM debian:jessie as blah2

# ok: avoid-latest-version
FROM myregistry.local/testing/test-image:2a4af68 as blah2