Ensure Containers Jobs Use a Non-Latest Version Tag
Non-latest version tags are preferred because:
- They ensure that the image is immutable and cannot be overwritten by another image with the same tag, which could lead to unexpected behavior or errors in the pipelines.
- They provide a clear history of what image was used for a specific build or deployment, which enables easy rollback to a previous version if needed.
- They support semantic versioning, which is a standard way of indicating the compatibility and stability of software releases.
Therefore, this rule recommends using stable tags that correspond to major or minor versions of the image.
Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL001
REMEDIATION
To fix this issue, replace the 'latest' tag with a specific version tag in the job.container
, job.container.image
, or job.pool.vmImage
fields. For example:
job: Example_1
- container: ubuntu:latest
+ container: ubuntu:20.04
OR
job: Example_2
container:
- image: ubuntu:latest
+ image: ubuntu:20.04
OR
job: Example_3
pool:
- vmImage: 'ubuntu-latest'
+ vmImage: 'ubuntu-20.04'
Read more:
Updated over 1 year ago