Skip to main content

DL3007: Do not use the :latest tag

Warning Security

Why This Matters

The :latest tag is a moving target. An image tagged :latest today may resolve to a completely different image tomorrow after the maintainer pushes an update. This breaks reproducibility because your staging and production environments may run different code from identical Dockerfiles. Always pin to a specific version tag (e.g., ubuntu:22.04) or a digest.

How to Fix

Replace :latest with a specific version tag

Before (incorrect)

FROM ubuntu:latest

After (correct)

FROM ubuntu:22.04

Rule Details

Rule Code
DL3007
Severity
Warning
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell