Latest tag
No violationsstackroxlowbuilddeployAlert on deployments with images using tag 'latest'
- Rationale
- Using latest tag can result in running heterogeneous versions of code. Many Docker hosts cache the Docker images, which means newer versions of the latest tag will not be picked up. See https://docs.docker.com/develop/dev-best-practices for more best practices.
- Remediation
- Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.
CategoriesDevOps Best PracticesSupply Chain Security
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 28.1
- ISO/IEC 27001 2022
- A.8.25
- NIST SP 800-53 rev. 5
- SR-4
- PCI DSS 4.0
- 6.4.3
- SOC 2 2017 TSC
- CC6.8CC8.1
Generated artifacts
3 of 5 targets supportedlatest-tag.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: latest-tag
annotations:
policies.kyverno.io/title: Latest tag
policies.kyverno.io/category: DevOps Best Practices, Supply Chain Security
policies.kyverno.io/severity: low
policies.kyverno.io/description: Alert on deployments with images using tag 'latest'
policies.kyverno.io/remediation: Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.
policies.kyverno.io/rationale: Using latest tag can result in running heterogeneous versions of code. Many Docker hosts cache the Docker images, which means newer versions of the latest tag will not be picked up. See https://docs.docker.com/develop/dev-best-practices for more best practices.
policies.io/source: stackrox
policies.io/source-id: 2e90874a-3521-44de-85c6-5720f519a701
spec:
validationFailureAction: Audit
background: true
rules:
- name: latest-tag
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Policy \"Latest tag\" violated: Alert on deployments with images using tag 'latest'"
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value:
- "*:latest"
exclude:
any:
- resources:
namespaces:
- openshift-network-diagnostics
- resources:
namespaces:
- openshift-sre-pruning
- resources:
namespaces:
- openshift-build-test
- resources:
namespaces:
- openshift-backplane-managed-scripts
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- openshift-backplane
- resources:
namespaces:
- openshift-sre-pruning
- resources:
namespaces:
- openshift-marketplace
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- kube-system
- resources:
namespaces:
- istio-system
IR (canonical)
{
"id": "2e90874a-3521-44de-85c6-5720f519a701",
"name": "Latest tag",
"description": "Alert on deployments with images using tag 'latest'",
"rationale": "Using latest tag can result in running heterogeneous versions of code. Many Docker hosts cache the Docker images, which means newer versions of the latest tag will not be picked up. See https://docs.docker.com/develop/dev-best-practices for more best practices.",
"remediation": "Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.",
"severity": "low",
"categories": [
"DevOps Best Practices",
"Supply Chain Security"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "sre-pod-network-connectivity-check-pruner",
"namespace": "openshift-network-diagnostics"
},
{
"name": "osd-delete-ownerrefs-serviceaccounts",
"namespace": "openshift-sre-pruning"
},
{
"name": "sre-build-test",
"namespace": "openshift-build-test"
},
{
"name": "osd-delete-backplane-script-resources",
"namespace": "openshift-backplane-managed-scripts"
},
{
"name": "sre-ebs-iops-reporter",
"namespace": "openshift-monitoring"
},
{
"name": "sre-stuck-ebs-vols",
"namespace": "openshift-monitoring"
},
{
"name": "osd-delete-backplane-serviceaccounts",
"namespace": "openshift-backplane"
},
{
"name": "deployments-pruner",
"namespace": "openshift-sre-pruning"
},
{
"name": "osd-patch-subscription-source",
"namespace": "openshift-marketplace"
},
{
"name": "sre-dns-latency-exporter",
"namespace": "openshift-monitoring"
},
{
"name": "osd-rebalance-infra-nodes",
"namespace": "openshift-monitoring"
},
{
"name": "osd-rebalance-infra-node",
"namespace": "openshift-monitoring"
},
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "image-tag",
"values": [
"latest"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "2e90874a-3521-44de-85c6-5720f519a701",
"name": "Latest tag",
"description": "Alert on deployments with images using tag 'latest'",
"rationale": "Using latest tag can result in running heterogeneous versions of code. Many Docker hosts cache the Docker images, which means newer versions of the latest tag will not be picked up. See https://docs.docker.com/develop/dev-best-practices for more best practices.",
"remediation": "Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.",
"disabled": false,
"categories": [
"DevOps Best Practices",
"Supply Chain Security"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment sre-pod-network-connectivity-check-pruner in namespace openshift-network-diagnostics",
"deployment": {
"name": "sre-pod-network-connectivity-check-pruner",
"scope": {
"cluster": "",
"namespace": "openshift-network-diagnostics",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-delete-ownerrefs-serviceaccounts in namespace openshift-sre-pruning",
"deployment": {
"name": "osd-delete-ownerrefs-serviceaccounts",
"scope": {
"cluster": "",
"namespace": "openshift-sre-pruning",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment sre-build-test in namespace openshift-build-test",
"deployment": {
"name": "sre-build-test",
"scope": {
"cluster": "",
"namespace": "openshift-build-test",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-delete-backplane-script-resources in namespace openshift-backplane-managed-scripts",
"deployment": {
"name": "osd-delete-backplane-script-resources",
"scope": {
"cluster": "",
"namespace": "openshift-backplane-managed-scripts",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment sre-ebs-iops-reporter in namespace openshift-monitoring",
"deployment": {
"name": "sre-ebs-iops-reporter",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment sre-stuck-ebs-vols in namespace openshift-monitoring",
"deployment": {
"name": "sre-stuck-ebs-vols",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-delete-backplane-serviceaccounts in namespace openshift-backplane",
"deployment": {
"name": "osd-delete-backplane-serviceaccounts",
"scope": {
"cluster": "",
"namespace": "openshift-backplane",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment deployments-pruner in namespace openshift-sre-pruning",
"deployment": {
"name": "deployments-pruner",
"scope": {
"cluster": "",
"namespace": "openshift-sre-pruning",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-patch-subscription-source in namespace openshift-marketplace",
"deployment": {
"name": "osd-patch-subscription-source",
"scope": {
"cluster": "",
"namespace": "openshift-marketplace",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment sre-dns-latency-exporter in namespace openshift-monitoring",
"deployment": {
"name": "sre-dns-latency-exporter",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-rebalance-infra-nodes in namespace openshift-monitoring",
"deployment": {
"name": "osd-rebalance-infra-nodes",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment osd-rebalance-infra-node in namespace openshift-monitoring",
"deployment": {
"name": "osd-rebalance-infra-node",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Image Tag",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "latest"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}