Skip to content

Latest commit

 

History

History
48 lines (32 loc) · 1.18 KB

RuleDocument.md

File metadata and controls

48 lines (32 loc) · 1.18 KB
category severity online version
Security
Critical

Use specific tags

SYNOPSIS

Containers should use specific tags instead of latest.

DESCRIPTION

Containers should use specific tags instead of latest. This is because:

  • Latest can be updated.

RECOMMENDATION

Deployments or pods should identify a specific tag to use for container images instead of latest. When latest is used it may be hard to determine which version of the image is running.

When using variable tags such as v1.0 (which may refer to v1.0.0 or v1.0.1) consider using imagePullPolicy: Always to ensure that the an out-of-date cached image is not used.

The latest tag automatically uses imagePullPolicy: Always instead of the default imagePullPolicy: IfNotPresent.

NOTES

Test that [isIgnored].

{
    "type": "Microsoft.Network/virtualNetworks",
    "name": "[parameters('VNETName')]",
    "apiVersion": "2020-06-01",
    "location": "[parameters('location')]",
    "properties": {}
}

LINKS