Ensure Containers Jobs Use a Non-Latest Version Tag

Non-latest version tags are preferred because:

  • They ensure that the image is immutable and cannot be overwritten by another image with the same tag, which could lead to unexpected behavior or errors in the pipelines.
  • They provide a clear history of what image was used for a specific build or deployment, which enables easy rollback to a previous version if needed.
  • They support semantic versioning, which is a standard way of indicating the compatibility and stability of software releases.
    Therefore, this rule recommends using stable tags that correspond to major or minor versions of the image.

Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL001


To fix this issue, replace the 'latest' tag with a specific version tag in the job.container, job.container.image, or job.pool.vmImage fields. For example:

job: Example_1
- container: ubuntu:latest
+ container: ubuntu:20.04


job: Example_2
-   image: ubuntu:latest
+   image: ubuntu:20.04


job: Example_3
- vmImage: 'ubuntu-latest'
+ vmImage: 'ubuntu-20.04'

Read more: