lintai docs

Appearance

Rule Reference

SEC752lintai-ai-securitysupply-chainhardeningstabledocker-composewarn

Docker Compose: latest or implicit-latest service image tag

Docker Compose service image uses a latest or implicit-latest tag

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
docker-compose
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed Docker Compose services for images that rely on `latest` or the implicit default latest tag.

Deterministic signal basis

DockerComposeSignals semantic `services.*.image` detection combined with indentation-aware line matching and deterministic detection of explicit `:latest` tags or missing tags on non-digest image references.

Malicious corpus
docker-compose-latest-image
Benign corpus
docker-compose-tagged-image-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC750Docker Compose: mutable service imageDocker Compose service image uses a mutable registry reference without a digest pinsupply-chainhardeningdocker-compose
SEC748Docker Compose: privileged service runtimeDocker Compose service enables privileged container runtime or host namespace accessthreat-reviewsecuritydocker-compose

Why It Matters

Compose files committed with latest or implicit latest tags are not reproducible. The deployed image can change without any repository diff, which weakens review and rollback confidence.

What Triggers

SEC752 matches services.*.image values when the service image uses either:

  • no explicit tag, which implies latest
  • an explicit :latest tag

The rule skips digest-pinned images.

False Positives

The rule is intentionally narrow and does not flag reviewed explicit version tags such as nginx:1.27.0.

Remediation

Replace latest or implicit-latest service images with a reviewed explicit version tag or a digest pin.