ISSUE-102 Medium Quick CI/CD Container Images
Forbidden container image tag
Control: Container images must not use forbidden tags · Config key: containerImageMustNotUseForbiddenTags
📋 What is this?
A container image used to run a CI/CD job is using a tag that is forbidden by your configuration.
⚠️ Impact
Using forbidden tags can result in insecure containers running in your CI/CD pipelines or unexpected breaking changes. For instance, if your pipeline uses the latest tag, it might pull a compromised, untested, or breaking image.
🔧 How to fix
Update the image tag to a tag allowed by your Policy controls.
✗ Before These jobs use the `latest` tag, which is mutable and may change unexpectedly.
# .gitlab-ci.yml — ❌ Uses "latest" tag (forbidden)build: image: python:latest script: - pip install -r requirements.txt - python setup.py build
lint: image: golangci/golangci-lint:latest script: - golangci-lint run✓ After Specific version tags ensure reproducible builds.
# .gitlab-ci.yml — ✅ Uses specific version tagsbuild: image: python:3.12.1 script: - pip install -r requirements.txt - python setup.py build
lint: image: golangci/golangci-lint:v1.62.2 script: - golangci-lint run💡 Tips
- Configure forbidden tags in
.plumber.yamlundercontainerImageMustNotUseForbiddenTags.tags. - Common forbidden tags include:
latest,dev,staging,main,master.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
containerImageMustNotUseForbiddenTags:
enabled: trueSee the CLI documentation for the full configuration reference.