rspec/rules/S7023/docker/rule.adoc

In Dockerfiles, it is recommended to use digests to pin versions of base images. This practice ensures that you are always using the exact version of the base image that you intend to use, making your Docker image builds reproducible.

== Why is this an issue?

If you're using tags to specify the version of your base image, you might not get the same image every time. Tags are mutable, meaning they can be updated to point to a different image. This can lead to inconsistencies between builds, making it difficult to reproduce bugs or replicate your environment. Moreover, if an attacker gains control of the repository, they could replace the image with a compromised one. Using a digest to pin the version of your base image can mitigate this risk.

== How to fix it

Instead of using tags like `FROM <image>:<tag>`, you should use the digest like so: `FROM image@sha256:<digest>`. The digest can be retrieved from Docker CLI or looked up in the Docker registry.

=== Code examples

==== Noncompliant code example

[source,docker,diff-id=1,diff-type=noncompliant]
----
FROM ubuntu:20.04
ENTRYPOINT ["echo", "Hello, World!"]
----

==== Compliant solution

[source,docker,diff-id=1,diff-type=compliant]
----
FROM ubuntu:20.04@sha256:0b897358ff6624825fb50d20ffb605ab0eaea77ced0adb8c6a4b756513dec6fc
ENTRYPOINT ["echo", "Hello, World!"]
----

== Resources

=== Documentation

* Docker Docs - https://docs.docker.com/build/building/best-practices/#pin-base-image-versions[Building best practices]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Add digest to this tag to pin the version of the base image.

=== Highlighting

Highlight the tag of the image in `FROM` instruction.

'''
== Comments And Links
(visible only on this page)

endif::env-github,rspecator-view[]