Class: Rules::UnpinnedDockerImage

Inherits:

Base

• Object
• Base
• Rules::UnpinnedDockerImage

Defined in:

lib/rules/unpinned_docker_image.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/unpinned_docker_image.rb', line 7

def check(workflow)
    findings = []

    workflow.lines_of(/:latest\b/).each do |line_num|
        line = workflow.line_content(line_num)
        next unless line&.match?(/docker:\/\/.*:latest|image:.*:latest|uses:.*:latest|docker:.*:latest|container:.*:latest/)

        findings << finding(workflow,
            line: line_num,
            code: line.strip,
            message: "Docker image uses :latest tag — mutable, not reproducible",
            fix: "Pin to a specific digest: image@sha256:..."
        )
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/unpinned_docker_image.rb', line 4

def description = "Docker image referenced by :latest tag"

#name ⇒ Object

# File 'lib/rules/unpinned_docker_image.rb', line 3

def name = "unpinned-docker-image"

#severity ⇒ Object

# File 'lib/rules/unpinned_docker_image.rb', line 5

def severity = :low