iac/dockerfile/dockerfile-latest-tag

Base image pinned to :latest

lowDockerfileiac-dockerfile

What it detects

Using :latest (or no tag) means builds are non-reproducible and new vulnerabilities silently enter the image.

Pin to a specific version or, ideally, a SHA digest (`FROM node:20.11.1-alpine@sha256:...`).

Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.