Docker Latest Tag
Using FROM image:latest means a new pull can silently change your base image, breaking reproducibility and potentially introducing vulnerabilities.
How It Works
:latest resolves to whatever the registry considers current at pull time. A new Node.js major version, a changed base OS, or a compromised image being pushed as :latest can change your build without any code change. You lose reproducibility and auditing.
# BAD: latest tag is unpinned — changes without warning
FROM node:latest
FROM postgres:latest# GOOD: pin to a specific version tag AND digest for full immutability
FROM node:20.11.1-alpine3.19
FROM postgres:16.2-alpine3.19Real-World Example
In 2020, a maintainer of a popular Docker Hub base image pushed breaking changes to :latest. Thousands of CI builds that relied on it failed simultaneously. More critically, a compromised :latest could silently ship malware to every downstream user.
How to Prevent It
- Pin base images to specific version tags (node:20.11.1-alpine3.19, not node:latest)
- For maximum security, pin to the image digest (FROM node@sha256:abc123...) which is immutable
- Use Dependabot or Renovate to automatically update pinned image versions with reviewed PRs
- Prefer minimal base images (alpine, distroless) to reduce the attack surface
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Running as Root in Docker
mediumContainers that run as root give any code execution vulnerability immediate root access to the container — and potentially the host.
Secrets in Dockerfile
criticalSecrets added via ENV, ARG, or COPY .env in a Dockerfile are baked into the image layers and readable by anyone who pulls the image.
Unnecessary Exposed Ports
lowEXPOSE-ing ports your application doesn't actually use increases the attack surface without any benefit.
No Docker Health Check
lowWithout a HEALTHCHECK instruction, Docker and orchestrators can't detect when your container is running but broken — routing traffic to a dead app.