Skip to main content

CV-B004: Image tag not pinned (mutable tag)

Warning Best Practice

Why This Matters

Mutable tags like latest, stable, edge, and nightly can point to different image versions over time. This means the same Compose file can produce different results on different machines or at different times, making deployments non-reproducible and difficult to debug.

How to Fix

Pin the image to a specific immutable version tag or SHA256 digest

Before (incorrect)

services:
  web:
    image: nginx:stable

After (correct)

services:
  web:
    image: nginx:1.25.3-alpine

Rule Details

Rule Code
CV-B004
Severity
Warning
Category
Best Practice

Related Rules

CV-B001 Warning

Missing healthcheck
CV-B002 Warning

No restart policy
CV-B003 Warning

No resource limits
CV-B006 Warning

Deprecated version field
CV-B008 Warning

Both build and image specified