☑️ Ensure each container image has a digest tag

To make sure the container always uses the same version of the image, you can specify its digest. The digest uniquely identifies a specific version of the image, so it will never be updated by Kubernetes unless you change the digest value.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: medium (What does this mean?)

Policy as code identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST

This rule will fail

If a container doesn't have a digest image tag

spec:
  containers:
    - name: app
      image: nginx:1.19.8

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Ensure each container image has a digest tag [1 occurrence]
💡 Incorrect value for key `image` - add a digest tag (beginning with `@sha256:`) to represent an immutable version of the image

How to fix this failure

Each container image should have an image ID (aka image SHA)

spec:
  containers:
    - name: app
      image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more