Always pin versions in apt-get install

Docs > Code Analysis > Static Analysis Rules > Always pin versions in apt-get install

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: docker-best-practices/apt-pin-version

Language: Docker

Severity: Notice

Category: Best Practices

Description

When using apt-get install, pin the version to avoid unwanted upgrades and undefined behavior.

Non-Compliant Code Examples

FROM debian:12

RUN set -eux; \
    apt-get update; \
    apt-get install -y curl git gcc g++ make cmake; \
    rm -rf /var/cache/apt/archives /var/lib/apt/lists/*

FROM debian:12
RUN apt-get install python

RUN apt-get update && \
    apt-get install -y --no-install-recommends openjdk-19-jdk && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/ /var/cache/oracle*

Compliant Code Examples

FROM debian:12
RUN apt-get install python=3.11