lintai docs

Appearance

Rule Reference

SEC751lintai-ai-securitystabledockerfilewarn

Dockerfile: latest or implicit-latest base image tag

Dockerfile FROM uses a latest or implicit-latest image tag

Provider
lintai-ai-security
Surface
dockerfile
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed Dockerfiles for base images that rely on `latest` or the implicit default latest tag.

Deterministic signal basis

DockerfileSignals exact `FROM` token analysis with prior-stage alias tracking plus deterministic detection of explicit `:latest` tags or missing tags on non-digest image references.

Malicious corpus
dockerfile-latest-base-image
Benign corpus
dockerfile-tagged-base-image-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC746Dockerfile: remote script execution in RUNDockerfile RUN downloads remote code and executes itdockerfilestable
SEC747Dockerfile: final stage runs as rootDockerfile final stage explicitly runs as rootdockerfilestable
SEC749Dockerfile: mutable registry image in FROMDockerfile FROM uses a mutable registry image without a digest pindockerfilestable

Why It Matters

latest and implicit latest tags are mutable by design. They make rebuilds drift over time and weaken incident response because the committed Dockerfile does not identify a stable artifact.

What Triggers

SEC751 matches FROM instructions when the selected base image uses either:

  • no explicit tag at all, which implies latest
  • an explicit :latest tag

The rule skips digest-pinned images and previously defined stage aliases in multi-stage builds.

False Positives

The rule is intentionally narrow: it does not flag reviewed explicit version tags such as alpine:3.20, and it excludes FROM build style stage-alias reuse.

Remediation

Replace latest or implicit-latest references with a reviewed explicit version tag or a digest pin.