iac/dockerfile/dockerfile-apt-noconfirm-no-pin

apt install without version pinning

lowDockerfileiac-dockerfile

What it detects

apt-get install without specific versions makes builds non-reproducible and can pick up vulnerable packages silently between builds.

Pin package versions (`apt-get install -y pkg=1.2.3`) or rely on a Docker layer cache bust per release.

Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.