System package installed without a pinned version
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
An apt/apk/yum install names packages with no version pin, so a rebuild can silently install a different version. Heuristic: version pinning is not always practical and can be noisy.
Why it matters
Installing system packages without a version pin means a rebuild can pull a newer package than the one you tested, so an image that built cleanly last month can behave differently today. This check is a heuristic: full version pinning is not always practical and this pattern is common, so it is low severity.
How to fix it
Where reproducibility matters, pin versions in the install (apt-get install -y pkg=1.2.3, apk add --no-cache pkg=1.2.3). Pinning every package can be high-maintenance, so prioritize the ones whose version actually affects your app, and rely on a pinned base image for the rest.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo