Ensure not to use the 'latest' tag for any GitLab pipelines images

Using a continuously changed tag version can result in unexpected software behavior, supply chain attack vector, and unrecoverable state.

Risk Level: medium
Platform: GitLab
Spectral Rule ID: GLPL001


Always use an exact version lock.


  • image: ubuntu:20.04
  • image: npm:14.0

Bad examples:

  • image: ubuntu:latest
  • image: npm:master
  • image: alpine

Read more:

  • TBD