To make sure the container always uses the same version of the image, you can specify its digest. The digest uniquely identifies a specific version of the image, so it will never be updated by Kubernetes unless you change the digest value.
Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Enabled by default? False
Policy as code identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST
If a container doesn't have a digest image tag
Each container image should have an image ID (aka image SHA)