Ensure not to use the 'latest' tag for any GitLab pipelines images

Using a continuously changed tag version can result in unexpected software behavior, supply chain attack vector, and unrecoverable state.

Suggest Edits

Risk Level: medium
Platform: GitLab
Spectral Rule ID: GLPL001

REMEDIATION

Always use an exact version lock.

Examples:

  • image: ubuntu:20.04
  • image: npm:14.0

Bad examples:

  • image: ubuntu:latest
  • image: npm:master
  • image: alpine

Read more:

  • TBD

Updated 7 months ago