Image Version Not Explicit

• Query id: 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd
• Query name: Image Version Not Explicit
• Platform: Dockerfile
• Severity: Medium
• Category: Supply-Chain
• URL: Github

Description

Always tag the version of an image explicitly
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - dockerfile file

FROM alpine
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"] 

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
ARG IMAGE=alpine:3.12
FROM $IMAGE
CMD ["python", "/usr/src/app/app.py"]