Docker-image action pinned to a mutable tag
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A step uses a docker:// image reference with a tag (or no tag) instead of a @sha256 digest. Image tags are mutable, so the container your job runs can be replaced with different code.
Why it matters
A docker:// action referenced by tag (or with no tag, which means latest) runs whatever image currently sits behind that tag. Tags are mutable in the registry, so the container your job runs can be swapped for different code without any change to your workflow.
How to fix it
Pin the image to an immutable digest: uses: docker://image@sha256:<digest>. Pull the image once, read its digest with docker inspect or the registry, and reference that. Re-pin deliberately when you want to update.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo