Docker Unpinned Docker Image
Description
Unpinned Docker images pose a security risk by allowing container images to be updated automatically without explicit version control. Using non-specific image references (like 'latest' tag or no tag) can lead to pulling unintended or potentially malicious versions of images, compromising the container's security and consistency.
Detection Strategy
• Scan Dockerfile content for FROM instructions that specify Docker images
• Check if the image reference uses either a SHA-256 hash digest or a variable reference
• Ignore any image references that are aliases for multi-stage builds
• Report a vulnerability for any FROM statement using an unpinned image reference (e.g., using latest tag or no explicit version)
Vulnerable code example
# Dockerfile with insecure base image specifications
FROM node # Vulnerable: Using latest tag implicitly, no version pinning
RUN apk add --no-cache python g++ make
FROM node:12 # Vulnerable: Incomplete version pinning (missing patch version)
RUN apk add --no-cache python g++ make
...✅ Secure code example
# Dockerfile with secure base image specifications
# SAFE: Pinned to specific version with SHA256 digest for immutability
FROM node:18.17.1-alpine3.18@sha256:c7620fdecfefb96813da62519897808775230386f4c8482e972e37b8b18cb460
RUN apk add --no-cache python3 g++ make
# Multi-stage build to reduce attack surface
FROM node:18.17.1-alpine3.18@sha256:c7620fdecfefb96813da62519897808775230386f4c8482e972e37b8b18cb460 AS builder...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.