HighFile-scope Plug & play

Pin container images by digest in Helm/K8s

Use immutable image digests (repo@sha256:...) instead of mutable tags for production workloads.

Why this matters

Digests provide deterministic deployments and avoid surprise upgrades.

Side-by-side examples engineers can pattern-match during review.

Avoid

image: myorg/api:latest

Prefer

image: myorg/api@sha256:1f3c...deadbeef

Good

image: backend@sha256:abc123...

Bad

image: backend:1.2.3

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1