---
title: apt-get install pin version not defined
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > apt-get install pin version not defined
---

# apt-get install pin version not defined

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `dockerfile-apt-get-install-pin-version-not-defined` 

**Platform:** Dockerfile

**Severity:** Medium

**Category:** Supply-Chain

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

### Description{% #description %}

Installing packages in a Dockerfile without pinning versions can lead to unintentional upgrades or supply-chain changes that introduce vulnerabilities or break reproducible builds.

This rule inspects Dockerfile `RUN` instructions that invoke `apt-get install` and flags any package tokens that do not include an explicit version (for APT, the expected form is `name=version`). Resources with packages missing `=version` will be reported. Ensure every package in the `apt-get install` invocation is pinned to a specific version instead of relying on the distribution's default.

Secure example:

```dockerfile
RUN apt-get update && apt-get install -y \
  curl=7.68.0-1ubuntu2 \
  nginx=1.18.0-0ubuntu1
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM busybox
RUN apt-get install python=2.7
```

```dockerfile
FROM busyboxneg2
RUN apt-get install python=2.7

FROM busyboxneg3
RUN apt-get install -y -t python=2.7

FROM busyboxneg4
RUN apt-get update; \
    apt-get install -y \
    python-qt4=4.11 \
    python-pyside=6.0.1 \
    python-pip=1.0.2 \
    python3-pip=1.0 \
    python3-pyqt5=5
```

```dockerfile
FROM busybox
RUN apt-get install python=2.7 ; echo "A" && echo "B"
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM busybox
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox2
RUN apt-get install -y -t python

FROM busybox3
RUN apt-get update && apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5
```

```dockerfile
FROM busybox4
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox5
RUN apt-get install -y -t python

FROM busybox6
RUN apt-get update ; \
    apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5
```