Ensure each Container image has a pinned (tag) version

No items found.

Ensuring that each container image has a pinned version (tag) means that the container image used for deployment is explicitly specified with a specific tag, rather than using a default or latest tag. This helps to ensure consistency and prevent unexpected changes due to new versions of the container image being deployed.


To ensure each container image has a pinned (tag) version, you can take the following remediation steps:

  1. Use a Docker image tag in your container specification that uniquely identifies the image version you want to use, instead of using the latest tag.
  2. Use a private Docker registry to store your images, and configure your container orchestrator to pull images from that registry.
  3. Use a container image scanning tool to identify vulnerabilities and other issues in your images, and use this information to decide which images to use.
  4. Use automation to keep your container images up-to-date and to automatically build new images when new versions of dependencies become available.
  5. Implement a tagging convention for your container images that includes the version number and any other relevant information, such as the date and time of the build. This will help you keep track of which versions are currently in use and make it easier to troubleshoot any issues that arise.
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.