Ensure Container Job Uses a Version Digest

Using version digests for container jobs in Azure Pipelines is recommended because:

  • Version digests guarantee that the image is immutable and will not change or be deleted, even if the tag does. This avoids unexpected behavior or errors in the pipelines.
  • Version digests enable a clear history of what image was used for a specific build or deployment, which allows easy tracking and auditing of the origin and quality of your container images.
  • Version digests follow semantic versioning, which is a widely used way of indicating the compatibility and stability of software releases.
    Therefore, this rule suggests using version digests instead of tags when specifying a container image for your job.

Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL002


In stages.jobs.container set a version digest

- container: ubuntu
+ container: ubuntu@sha256:a0a45bd8b6c4a6967<<<NUM>>f01f2a68f73406327285edc5b5b07cb1cf073db

Read more: