Ensure Container Job Uses a Version Digest
Using version digests for container jobs in Azure Pipelines is recommended because:
- Version digests guarantee that the image is immutable and will not change or be deleted, even if the tag does. This avoids unexpected behavior or errors in the pipelines.
- Version digests enable a clear history of what image was used for a specific build or deployment, which allows easy tracking and auditing of the origin and quality of your container images.
- Version digests follow semantic versioning, which is a widely used way of indicating the compatibility and stability of software releases.
Therefore, this rule suggests using version digests instead of tags when specifying a container image for your job.
Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL002
REMEDIATION
In stages.jobs.container
set a version digest
- container: ubuntu
+ container: ubuntu@sha256:a0a45bd8b6c4a6967<<<NUM>>f01f2a68f73406327285edc5b5b07cb1cf073db
Read more:
Updated over 1 year ago