---
title: "Validate Base Image Tag"
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/dockerfile_best_practices/validate-base-image-tag/
---


### Description

Ensuring the use of version tags and digests instead of the latest image tag in a Dockerfile is crucial for maintaining control, reproducibility, and stability in containerized environments. This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile to promote reliable container deployment practices.

### Kyverno policy

Refer to the Nirmata curated policies - [validate-base-image-tag](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml).

### Resource example

Below are examples of two Dockerfiles enforcing this policy.

```bash
# Multi-Stage Build

FROM busybox:1.33 as base
COPY test.sh /test.sh

FROM base
LABEL foo=bar
```

```bash
# Multi-Stage Capital Build

FROM busybox:1.33 AS base
COPY test.sh /test.sh

FROM base AS build
LABEL foo=bar

FROM base
```text