Ensure container job uses a version digest
Description
This policy checks whether a container job in an Azure pipeline uses a version digest. Using a version digest ensures that the container image used is specific and immutable, reducing the risk of unexpected changes or vulnerabilities. This is important because it helps prevent supply chain attacks and ensures the integrity of the build process. By specifying a version digest, you can ensure that your pipeline always uses the same version of the container, which can help with reproducibility and debugging.
Code Example
yaml
jobs:
- job: build
container: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine@sha256:627a97bbaa6e4a4c66d5fcd83511326d3be7d1f5874b9b5e6f5d9f4a12345678Remediation
Update the container image to use a version digest by appending the digest value to the image name, separated by an '@' symbol.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0816 |
| Severity | MEDIUM |
| IaC Type | Azure Pipelines |
| Frameworks | jobs, stages[].jobs[] |
| Checkov ID | CKV_AZUREPIPELINES_2 |