Class: Rules::UnpinnedDockerImage
- Defined in:
- lib/rules/unpinned_docker_image.rb
Instance Method Summary collapse
Instance Method Details
#check(workflow) ⇒ Object
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# File 'lib/rules/unpinned_docker_image.rb', line 7 def check(workflow) findings = [] workflow.lines_of(/:latest\b/).each do |line_num| line = workflow.line_content(line_num) next unless line&.match?(/docker:\/\/.*:latest|image:.*:latest|uses:.*:latest|docker:.*:latest|container:.*:latest/) findings << finding(workflow, line: line_num, code: line.strip, message: "Docker image uses :latest tag — mutable, not reproducible", fix: "Pin to a specific digest: image@sha256:..." ) end findings end |
#description ⇒ Object
4 |
# File 'lib/rules/unpinned_docker_image.rb', line 4 def description = "Docker image referenced by :latest tag" |
#name ⇒ Object
3 |
# File 'lib/rules/unpinned_docker_image.rb', line 3 def name = "unpinned-docker-image" |
#severity ⇒ Object
5 |
# File 'lib/rules/unpinned_docker_image.rb', line 5 def severity = :low |