Ensure container job uses a non latest version tag
Description
This policy checks whether a container job in an Azure pipeline uses a non-'latest' version tag for its image. Using the 'latest' tag can lead to unpredictable behavior and potential security vulnerabilities, as the image version may change without notice. It's essential to specify a fixed version or digest to ensure reproducibility and security. By using a specific version or digest, you can ensure that your pipeline always uses the same image version, reducing the risk of unexpected changes or vulnerabilities.
Code Example
yaml
jobs:
- job: build
container:
image: node:14.17.0Remediation
Specify a fixed version or digest for the container image instead of using the 'latest' tag.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0815 |
| Severity | MEDIUM |
| IaC Type | Azure Pipelines |
| Frameworks | jobs, stages[].jobs[] |
| Checkov ID | CKV_AZUREPIPELINES_1 |