Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Use digest to pin versions of base images

consistency - conventional

maintainability

reliability

security

Code Smell

MajorSonarSource default severity
click to learn more

In Dockerfiles, it is recommended to use digests to pin versions of base images. This practice ensures that you are always using the exact version of the base image that you intend to use, making your Docker image builds reproducible.

Why is this an issue?

How can I fix it?

More Info

If you’re using tags to specify the version of your base image, you might not get the same image every time. Tags are mutable, meaning they can be updated to point to a different image. This can lead to inconsistencies between builds, making it difficult to reproduce bugs or replicate your environment. Moreover, if an attacker gains control of the repository, they could replace the image with a compromised one. Using a digest to pin the version of your base image can mitigate this risk.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted