If Docker images are used in CI or deployment, they should be pinned to specific SHA256 digests rather than mutable tags (e.g., node:20 vs node:20@sha256:...). Mutable tags can be updated to include malicious code.
File: Dockerfile(s), CI workflow files
Fix: Pin all Docker base images to specific SHA256 digests and set up automated digest update PRs via Dependabot.
If Docker images are used in CI or deployment, they should be pinned to specific SHA256 digests rather than mutable tags (e.g.,
node:20vsnode:20@sha256:...). Mutable tags can be updated to include malicious code.File: Dockerfile(s), CI workflow files
Fix: Pin all Docker base images to specific SHA256 digests and set up automated digest update PRs via Dependabot.