PG006: Prefer image digest over mutable tag
Info Security
Why This Matters
Image tags are mutable. Maintainers can rebuild and push a new image under the same tag at any time. A deployment pinned to node:20-alpine today may silently run a different image tomorrow. A digest (e.g., node:20-alpine@sha256:abc...) is the only truly immutable image reference and guarantees bit-for-bit reproducible builds.
How to Fix
Pin the base image to a digest. Run `docker pull <image>` then `docker inspect --format='{{index .RepoDigests 0}}' <image>` to get the digest.
Before (incorrect)
FROM node:20-alpineAfter (correct)
FROM node:20-alpine@sha256:1a2b3c...Rule Details
- Rule Code
- PG006
- Severity
- Info
- Category
- Security