Image version not explicit

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Medium

Category: Supply-Chain

Learn More

Description

Dockerfile FROM instructions must specify an explicit image tag or digest to ensure build reproducibility and reduce supply-chain risk from unexpected upstream image updates.

Check each Dockerfile FROM command: the image reference must include a tag (image:tag) or a content-addressable digest (image@sha256:<digest>). Literal image names without a tag or digest will be flagged. When the image is supplied via ARG or ENV (for example, FROM $BASE or FROM ${BASE}), verify the corresponding ARG/ENV value is defined and contains the tag or digest.

The special base scratch and FROM lines that reference a previously declared build stage by name are exempt from this requirement. Resources missing a tag or digest (no : or @) will be reported.

Secure examples:

FROM ubuntu:20.04

ARG BASE=nginx:1.21.6
FROM ${BASE}

FROM nginx@sha256:3a1b8f2e...

Compliant Code Examples

FROM ubuntu:22.04 AS test
RUN echo "hello"

FROM test AS build
RUN echo "build"

FROM build AS final
RUN echo "final"

FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
ARG IMAGE=alpine:3.12
FROM $IMAGE
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM ubuntu:22.04 AS test
RUN echo "hello"

FROM test AS build
RUN echo "build"

FROM construction AS final
RUN echo "final"

FROM alpine
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]