CI/CD provider
Forbidden container image tag
Control: Container images must not use forbidden tags · Config key: containerImageMustNotUseForbiddenTags
📋 What is this?
A container image used to run a CI/CD job is using a tag that is forbidden by your configuration.
⚠️ Impact
Using forbidden tags can result in insecure containers running in your CI/CD pipelines or unexpected breaking changes. For instance, if your pipeline uses the latest tag, it might pull a compromised, untested, or breaking image.
🔧 How to fix
Update the image tag to a tag allowed by your Policy controls.
# .gitlab-ci.yml — ❌ Uses "latest" tag (forbidden)build: image: python:latest script: - pip install -r requirements.txt - python setup.py build
lint: image: golangci/golangci-lint:latest script: - golangci-lint run# .gitlab-ci.yml — ✅ Uses specific version tagsbuild: image: python:3.12.1 script: - pip install -r requirements.txt - python setup.py build
lint: image: golangci/golangci-lint:v1.62.2 script: - golangci-lint run💡 Tips
- Configure forbidden tags in
.plumber.yamlundercontainerImageMustNotUseForbiddenTags.tags. - Common forbidden tags include:
latest,dev,staging,main,master.
⚙️ Configuration
This control is configured in .plumber.yaml under the gitlab section:
gitlab:
controls:
containerImageMustNotUseForbiddenTags:
enabled: trueSee the CLI documentation for the full configuration reference. On Plumber Platform, the same key is used in your policy configuration.
Forbidden container image tag
Control: Container images must not use forbidden tags · Config key: containerImageMustNotUseForbiddenTags
📋 What is this?
A workflow runs against a container image referenced by a forbidden tag (e.g. latest, dev, main).
⚠️ Impact
Mutable tags can move between runs. A latest tag that passed today's job might point at a different image tomorrow — including a compromised one — without any change to the workflow file.
🔧 How to fix
Pin the image to an immutable version tag, or better yet to a digest (see ISSUE-103).
# .github/workflows/build.yml — ❌ Uses "latest"jobs: build: runs-on: ubuntu-latest container: image: node:latest steps: - run: npm ci && npm test# .github/workflows/build.yml — ✅ Specific versionjobs: build: runs-on: ubuntu-latest container: image: node:20.18.1 steps: - run: npm ci && npm test
# .plumber.yamlgithub: controls: containerImageMustNotUseForbiddenTags: enabled: true tags: [latest, dev, staging, main, master]💡 Tips
- Forbidden tags default to
latest,dev,staging,main,master. Override viacontainerImageMustNotUseForbiddenTags.tags. - Pair with ISSUE-103 to require digest pinning on top of immutable tags.
⚙️ Configuration
This control is configured in .plumber.yaml under the github section:
github:
controls:
containerImageMustNotUseForbiddenTags:
enabled: trueSee the CLI documentation for the full configuration reference. On Plumber Platform, the same key is used in your policy configuration.