Ensure the pipeline image version is referenced via hash not arbitrary tag.
Description
This policy checks whether the pipeline image version is referenced via a hash instead of an arbitrary tag. Using a specific hash ensures that the exact version of the image is used, reducing the risk of unexpected changes or vulnerabilities. If an arbitrary tag like 'latest' is used, it may lead to unpredictable behavior or security issues. It is essential to use a hash reference to maintain consistency and security in the pipeline.
Code Example
yaml
jobs:
build-and-test:
docker:
- image: circleci/python:3.9.5@sha256:49d99a73124e6ca6e7682710c6f80f7f5a43e33d5c0f9d5b3d8a6a7b8c9d0e1Remediation
Update the image reference to use a specific hash version instead of an arbitrary tag.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0823 |
| Severity | MEDIUM |
| IaC Type | circleci_pipelines |
| Frameworks | jobs.*.docker[]. |
| Checkov ID | CKV_CIRCLECIPIPELINES_2 |