lintai docs

Appearance

Rule Reference

SEC752lintai-ai-securitystabledocker-composewarn

Docker Compose: latest or implicit-latest service image tag

Docker Compose service image uses a latest or implicit-latest tag

Provider
lintai-ai-security
Surface
docker-compose
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed Docker Compose services for images that rely on `latest` or the implicit default latest tag.

Deterministic signal basis

DockerComposeSignals semantic `services.*.image` detection combined with indentation-aware line matching and deterministic detection of explicit `:latest` tags or missing tags on non-digest image references.

Malicious corpus
docker-compose-latest-image
Benign corpus
docker-compose-tagged-image-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC748Docker Compose: privileged service runtimeDocker Compose service enables privileged container runtime or host namespace accessdocker-composestable
SEC750Docker Compose: mutable service imageDocker Compose service image uses a mutable registry reference without a digest pindocker-composestable

Why It Matters

Compose files committed with latest or implicit latest tags are not reproducible. The deployed image can change without any repository diff, which weakens review and rollback confidence.

What Triggers

SEC752 matches services.*.image values when the service image uses either:

  • no explicit tag, which implies latest
  • an explicit :latest tag

The rule skips digest-pinned images.

False Positives

The rule is intentionally narrow and does not flag reviewed explicit version tags such as nginx:1.27.0.

Remediation

Replace latest or implicit-latest service images with a reviewed explicit version tag or a digest pin.