ISSUE-103 Critical Medium CI/CD Container Images
Container image is not pinned by digest
Control: Container images must be pinned by digest · Config key: containerImagesMustBePinnedByDigest
📋 What is this?
When digest pinning is enabled in your configuration, every container image must be referenced by its SHA256 digest (image@sha256:...). This image is using a tag reference instead.
⚠️ Impact
Even specific version tags (e.g., python:3.12.1) can be reassigned to a different image. Digest pinning is the only way to guarantee the exact image content used in your pipeline, providing the strongest supply chain security.
🔧 How to fix
Replace the tag reference with a digest reference. You can find the digest using docker inspect or crane digest.
✗ Before Even specific version tags can be reassigned to a different image.
# .gitlab-ci.yml — ❌ Uses tag reference (not pinned by digest)build: image: python:3.12.1 script: - python setup.py build✓ After SHA256 digest ensures the exact image content is always used.
# .gitlab-ci.yml — ✅ Pinned by SHA256 digestbuild: image: python@sha256:1c5313e4a18...f4b8e script: - python setup.py build
# Find the digest with:# docker pull python:3.12.1# docker inspect --format='{{index .RepoDigests 0}}' python:3.12.1# Or:# crane digest python:3.12.1
# .plumber.yamlcontrols: containerImagesMustBePinnedByDigest: enabled: true💡 Tips
- Enable digest pinning in
.plumber.yamlwithcontainerImagesMustBePinnedByDigest: true. - Use
crane digest <image>:<tag>(fromgo-containerregistry) for a quick digest lookup. - Consider automating digest updates with tools like Renovate or Dependabot.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
containerImagesMustBePinnedByDigest:
enabled: trueSee the CLI documentation for the full configuration reference.