This rule dictates that Docker images should always be tagged with a specific version number. In Docker, an image tag represents a particular version of an image. The use of tags allows developers to have better control over which versions of an image are being used in their projects.
This is crucial because it ensures the consistency and reliability of the Docker environment. If an image is not tagged, Docker defaults to using the ’latest’ version of the image. However, the ’latest’ tag does not guarantee that the same version of an image will be used every time, which can lead to unexpected behavior or compatibility issues.
To comply with this rule, always specify a version number when pulling a Docker image. Instead of FROM debian, write FROM debian:unstable or FROM debian:10.3. This ensures that you are using a specific version of the image, providing a more predictable and stable environment for your project.
Non-Compliant Code Examples
FROM debian
Compliant Code Examples
FROM scratchADD hello /CMD["/hello"]
FROM ${IMAGE}
FROM debian:unstable
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- docker-best-practices # Rules to enforce Docker best practices.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines
