Base image not pinned by digest
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A tagged base image is not pinned by @sha256 digest. Tags are mutable, so the same tag can resolve to different bytes over time. Heuristic: digest pinning is stricter than most projects need.
Why it matters
Tags like :20-slim are mutable, so the same tag can point to different image contents over time as the maintainer republishes it. Pinning by @sha256 digest guarantees the exact bytes every build. This is a hardening step, not a defect, so it is flagged at low severity.
How to fix it
Append the image digest to the tagged FROM, for example node:20.11.1-slim@sha256:.... Get the digest with docker buildx imagetools inspect or from your registry. Bump the digest along with the tag when you intentionally upgrade.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo