Image tag is not set to Fixed
Description
You can add a :fixed tag to a container image, making it easier to determine what it contains, for example to specify the version. Container image tags and digests are used to refer to a specific version or instance of a container image. We recommend you avoid using the :latest and :blank tags when deploying containers in production as it is harder to track which version of the image is running, and more difficult to roll back properly.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
containers:
- name: <container name>
+ image: <image>:<image version>
- image: <image>
- image: <image>:latestRemediation
Kubernetes
Resource: Container Argument: image:tag (Optional)
Defines the image version by a specific number or by using latest.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1092 |
| Severity | LOW |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_14 |