Yaml Missing Image Digest
Description
Detects Docker images referenced in docker-compose files that do not specify a digest (SHA256 hash). Using images without digests is insecure as the image content can change without detection, potentially introducing malicious code.
Detection Strategy
• Scans docker-compose YAML files for image definitions
• Checks if each 'image:' entry includes a digest (SHA256 hash) after the '@sha256:' prefix
• Reports a vulnerability if an image reference uses only tags (like ':latest') without a digest
• Example of secure format: 'image: nginx@sha256:a935519...'
Vulnerable code example
version: '3'
services:
web-app:
image: nginx # Vulnerable: Image tag not specified, could pull unexpected version
api-service:
image: api-image@sha256:invalid123 # Vulnerable: Invalid/incorrect SHA digest
ports:...✅ Secure code example
version: '3.8' # Using latest stable compose version for security features
services:
web-app:
image: nginx:1.25.3 # Pinned to specific version for predictability and security
api-service:
image: api-image@sha256:e8c68503a60b9dbc4d5d03717a7f3558614c872345470864a5850e21d5ee175e # Valid SHA256 digest
ports:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.