Validate Base Image Tag

Description

Ensuring the use of version tags and digests instead of the latest image tag in a Dockerfile is crucial for maintaining control, reproducibility, and stability in containerized environments. This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile to promote reliable container deployment practices.

Kyverno policy

Refer to the Nirmata curated policies - validate-base-image-tag.

Resource example

Below are examples of two Dockerfiles enforcing this policy.

# Multi-Stage Build

FROM busybox:1.33 as base
COPY test.sh /test.sh

FROM base
LABEL foo=bar

# Multi-Stage Capital Build

FROM busybox:1.33 AS base
COPY test.sh /test.sh

FROM base AS build
LABEL foo=bar

FROM base