Ensure the pipeline image uses a non latest version tag
Description
This policy checks whether the pipeline image uses a non-'latest' version tag. Using the 'latest' tag can lead to unpredictable behavior and potential security vulnerabilities, as the image version may change without notice. It's essential to specify a fixed version tag to ensure consistency and reliability in the pipeline. By doing so, you can avoid potential issues and ensure that your pipeline always uses the intended image version.
Code Example
yaml
image: node:14.17.0Remediation
Specify a fixed version tag for the pipeline image instead of using the 'latest' tag.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0821 |
| Severity | MEDIUM |
| IaC Type | bitbucket_pipelines |
| Frameworks | [{image:image,startline:startline,endline:endline}], pipelines..[][][][].step.{image: image, startline: startline, endline:endline}, pipelines.default[].step. |
| Checkov ID | CKV_BITBUCKETPIPELINES_1 |