Unpinned Docker base image
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The Dockerfile's FROM line has no version tag (or uses :latest), so the base image can change under you between builds.
Why it matters
A FROM line with no tag (or :latest) pulls whatever the newest image is at build time, so rebuilding the same Dockerfile next month can silently give you a different OS and language runtime. That is how builds break, or behavior changes in production, with zero changes in your repo. Pinning the tag makes every build start from the same base.
How to fix it
Pin each FROM to an explicit version tag, for example node:20-slim or python:3.12-slim rather than node or python:latest. For builds that must be fully reproducible, pin the digest too: node:20-slim@sha256:<digest>, which docker pull will print. Update the pin deliberately (Dependabot and Renovate both handle Dockerfile FROM lines) instead of letting it float.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo