lintai docs

Appearance

Rule Reference

SEC337lintai-ai-securitysupply-chainhardeningstablejsonwarn

MCP config: Docker image not digest-pinned

MCP configuration launches Docker with an image reference that is not digest-pinned

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed MCP config Docker launch paths for image references that are not pinned by digest, including tag-only refs such as :latest or :1.2.3.

Deterministic signal basis

JsonSignals docker run argument analysis over ArtifactKind::McpConfig objects, limited to command == docker plus args beginning with run.

Malicious corpus
mcp-docker-unpinned-image
Benign corpus
mcp-docker-digest-pinned-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointsupply-chainhardeningjson
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationsupply-chainhardeningjson
SEC330MCP config: remote content piped to shellMCP configuration command downloads remote content and pipes it into a shellsupply-chainsecurityjson
SEC331MCP config: TLS verification disabledMCP configuration command disables TLS verification in a network-capable execution pathsupply-chainhardeningjson
SEC343Plugin hook: mutable package launcherPlugin hook command uses a mutable package launchersupply-chainhardeningjson
SEC344Plugin hook: remote content piped to shellPlugin hook command downloads remote content and pipes it into a shellsupply-chainsecurityjson

Why It Matters

SEC337 flags MCP configuration that launches Docker with an image reference that is not digest-pinned.

Because this rule targets committed executable MCP config rather than markdown examples, it is a stronger operational signal than the markdown-only Docker guidance family. A hit means the committed server launch path still depends on mutable registry state.

What Triggers

SEC337 applies to MCP JSON config and triggers when:

  • the config launches Docker
  • the selected image token looks like a registry-distributed image
  • and the image is not pinned with @sha256:...

Example that triggers:

json
{"command":"docker","args":["run","ghcr.io/acme/mcp-server:1.2.3"]}

Example that stays clean:

json
{"command":"docker","args":["run","ghcr.io/acme/mcp-server@sha256:0123..."]}

False Positives

This is a strong structural config rule. The main boundary is that it only targets Docker-backed MCP launch paths and requires an actual non-digest image token.

Remediation

Pin the Docker image by digest or replace the launch path with another reproducible execution mechanism.