Skip to main content

DL3006: Always tag the version of an image explicitly

Warning Security

Why This Matters

Untagged images default to :latest, which can change without warning. A deployment that worked yesterday can break today because the base image was updated upstream. Pin to a specific tag (e.g., node:20-alpine) so your builds are reproducible and behave the same across environments.

How to Fix

Pin the base image to a specific version tag or digest

Before (incorrect)

FROM ubuntu

After (correct)

FROM ubuntu:22.04

Rule Details

Rule Code
DL3006
Severity
Warning
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell