lintai docs

Appearance

Rule Reference

SEC750lintai-ai-securitystabledocker-composewarn

Docker Compose: mutable service image

Docker Compose service image uses a mutable registry reference without a digest pin

Provider
lintai-ai-security
Surface
docker-compose
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed Docker Compose services for registry-distributed image references that are not digest pinned.

Deterministic signal basis

DockerComposeSignals combines semantic confirmation of `services.*.image` values with indentation-aware line matching and conservative registry-image plus digest-pin detection.

Malicious corpus
docker-compose-mutable-image
Benign corpus
docker-compose-digest-pinned-image
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC748Docker Compose: privileged service runtimeDocker Compose service enables privileged container runtime or host namespace accessdocker-composestable
SEC752Docker Compose: latest or implicit-latest service image tagDocker Compose service image uses a latest or implicit-latest tagdocker-composestable

Why It Matters

Mutable service-image tags in committed Compose files reduce reproducibility and make incident review harder, because the deployed bytes can change without any config diff in the repository.

What Triggers

SEC750 matches services.*.image values in semantic Docker Compose files when the image is a registry-distributed reference without a digest pin.

False Positives

The rule is kept intentionally narrow and uses conservative image matching plus digest-pin detection. It does not fire on digest-pinned service images.

Remediation

Pin service images by digest instead of relying on mutable tags.