This rule is deprecated; use S6596 instead.
A container image digest uniquely and immutably identifies a container image. A tag, on the other hand, is a mutable reference to a container
image.
This tag can be updated to point to another version of the container at any point in time.
In general, the use of image digests instead of tags
is intended to keep determinism stable within a system or infrastructure for reliability reasons.
The problem is that pulling such an image prevents the resulting container from being updated or patched in order to remove vulnerabilities or
significant bugs.
Ask Yourself Whether
- You expect to receive security updates of the base image.
There is a risk if you answer yes to this question.
Recommended Secure Coding Practices
Containers should get the latest security updates. If there is a need for determinism, the solution is to find tags that are not as prone to change
as latest or shared tags.
To do so, favor a more precise tag that uses semantic versioning and target a major version, for example.
Sensitive Code Example
FROM mongo@sha256:8eb8f46e22f5ccf1feb7f0831d02032b187781b178cb971cd1222556a6cee9d1
RUN echo ls
Compliant Solution
Here, mongo:6.0 is better than using a digest, and better than using a more precise version, such as 6.0.4, because it would prevent 6.0.5 security
updates:
FROM mongo:6.0
RUN echo ls
See
