Container images should be referenced by digest rather than by tag to ensure immutability and prevent unexpected image changes.
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
name: spotter-supply-002
labels:
severity: "high"
category: "supply"
annotations:
rules.spotter.dev/title: "Image Without Digest"
rules.spotter.dev/version: "1.0.0"
rules.spotter.dev/cwe: "CWE-829"
rules.spotter.dev/description: "Container images should be referenced by digest rather than by tag to ensure immutability and prevent unexpected image changes."
spec:
match:
resources:
kubernetes:
apiGroups:
- ""
- "apps"
- "batch"
versions:
- "v1"
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
- Job
- CronJob
namespaces:
include: ["*"]
exclude: ["kube-system", "kube-public"]
labels:
exclude:
rules.spotter.dev/ignore: ["true"]
cel: |
(object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c, has(c.image) && !c.image.contains("@sha256:"))) ||
(object.kind != 'Pod' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, has(c.image) && !c.image.contains("@sha256:")))
remediation:
manual: "Update image references to use a digest (e.g., `myimage@sha256:digestvalue`) instead of a tag."
references:
- title: "Kubernetes Best Practices: Images"
url: "https://kubernetes.io/docs/concepts/containers/images/"