HighFile-scopeDockerfile Plug & play

Pin exact versions with digests for base images

Base images must be pinned to an exact version and content digest (@sha256) to guarantee reproducible builds and supply-chain integrity.

Add to Mesrai Open workspace

Why this matters

Tags can be retagged and drift over time. Digests lock the image content, preventing unexpected changes and reducing the blast radius of registry compromises.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

FROM node:20-alpine
# or
FROM ubuntu:22.04

Prefer

FROM node:20.11.1-alpine@sha256:3c8b...deadbeef
# Tag + digest; digest is the source of truth

More snippets

Bad

FROM nginx:latest

Good

FROM nginx:1.25.5@sha256:abcd...

Related rules

From the same buckets as this rule.

Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Implement multi-stage builds for production
Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.
container-docker-hygienesecurity-hardening

Why this matters

Bad vs. good

More snippets

Related rules

Pods must run as non-root with read-only root filesystem

Add explicit environment variable checks

Implement multi-stage builds for production

Why this matters

Bad vs. good

More snippets

Related rules

Pods must run as non-root with read-only root filesystem

Add explicit environment variable checks

Implement multi-stage builds for production