5.27 Ensure docker commands always get the latest version of the image

Information

Always ensure that you are using the latest version of the image within your repository and
not the cached older versions.Multiple docker commands such as docker pull, docker run, etc. are known to have an
issue that by default, they extract the local copy of the image, if present, even though there
is an updated version of the image with the 'same tag' in the upstream repository. This
could lead to using older and vulnerable images.

Solution

Use proper version pinning mechanisms (the latest tag which is assigned by default is still
vulnerable to caching attacks) to avoid extracting the cached older versions. Version
pinning mechanisms should be used for base images, packages, and entire images too. You
can customize version pinning rules as per your requirements.Impact-None
Default Value-By default, docker commands extract the local copy unless version pinning mechanisms are
used or the local cache is cleared.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/517