Ensure Containers Jobs Use a Non-Latest Version Tag

Non-latest version tags are preferred because:

  • They ensure that the image is immutable and cannot be overwritten by another image with the same tag, which could lead to unexpected behavior or errors in the pipelines.
  • They provide a clear history of what image was used for a specific build or deployment, which enables easy rollback to a previous version if needed.
  • They support semantic versioning, which is a standard way of indicating the compatibility and stability of software releases.
    Therefore, this rule recommends using stable tags that correspond to major or minor versions of the image.
Suggest Edits

Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL001

REMEDIATION

To fix this issue, replace the 'latest' tag with a specific version tag in the job.container, job.container.image, or job.pool.vmImage fields. For example:

job: Example_1
- container: ubuntu:latest
+ container: ubuntu:20.04

OR

job: Example_2
  container:
-   image: ubuntu:latest
+   image: ubuntu:20.04

OR

job: Example_3
  pool:
- vmImage: 'ubuntu-latest'
+ vmImage: 'ubuntu-20.04'

Read more:

Updated 7 months ago