---
title: Image version using latest
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Image version using latest
---

# Image version using latest

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f45ea400-6bbe-4501-9fc7-1c3d75c32067`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Medium

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/develop/dev-best-practices/)

### Description{% #description %}

Using the `:latest` tag for base images makes builds non-reproducible and can silently introduce unreviewed or vulnerable changes from upstream, increasing supply-chain and runtime risk.

Check the Dockerfile `FROM` instruction: the image reference must use an explicit version tag or an immutable digest (for example, `nginx:1.21.6` or `nginx@sha256:...`) rather than `...:latest`. `scratch` base images are exempt.

This rule flags `FROM` lines that contain `:latest` (excluding `scratch`). Update them to a specific semantic version tag or pin to a digest to ensure consistent, auditable images.

Secure examples:

```Dockerfile
FROM nginx:1.21.6
```

```Dockerfile
FROM nginx@sha256:03a1c7c8f9e2d5b6a7c8e9f0a1b2c3d4e5f67890123456789abcdef0123456789
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM alpine:latest
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```