When an image tag is not descriptive (e.g. lacking the version tag like 1.19.8), every time that image is pulled, the version will be a different version and might break your code. Also, a non-descriptive image tag does not allow you to easily roll back (or forward) to different image versions. It is better to use concrete and meaningful tags such as version strings or an image SHA.
Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Enabled by default? True
Policy as code identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION
If a container image has no image version or is using latest as its image tag version
Each container image should have a pinned version tag or image ID (aka image SHA)