S6497: Using a container image based on its digest is security-sensitive is harmful to security. The rule tells users to do the exact opposite of what they should be doing. Image digests are a positive security measure and I believe Sonar should encourage their use - not discourage it.
As the rule documentation says,
This tag can be updated to point to another version of the container at any point in time.
The documentation further touts that ability to unexpectedly, unplanned “change at any point in change” as a benefit:
The problem is that pulling such an image prevents the resulting container from being updated or patched in order to remove vulnerabilities or significant bugs.
Having software change without any schedule, any tracking, or any control at all is generally not good development practice or good security. Change control is a key feature of security, and this Sonar rule is going contrary to that well established best practice.
From a development perspective, even the most well intentioned updates that fix “significant bugs” can have negative side effects. Consider Microsoft’s Patch Tuesday - even with Microsoft’s massive scale, budgets, and testing capabilities, it’s updates still cause problems sometimes and therefore many organizations and users do not apply them randomly, which is what this Sonar rule does.
For another, security focused example of why change control is critical, consider a supply chain compromise. Unless digests are used, supply chain compromises could not be detected until it’s too late. Consider a
Dockerfile that uses
FROM python:3.9, then a bad actor somehow manages to publish an image tagged
python:3.9 that steals credentials, runs a crypto miner, or something else. Eventually, docker hub will notice and remedy that situation, but in the mean time, the people who use that
Dockerfile will have unknowingly been affected, and they’ll have no idea when or how because there was no change in source control. For less popular, less watched images than docker library ones, this problem becomes far more difficult to notice and remedy. Supply chain attacks are on the rise, doing real world damage more and more often.
The rule documentation touches on the right solution:
In general, the use of image digests instead of tags is intended to keep determinism stable within a system or infrastructure for reliability reasons.
I believe the rule should be changed to be the exact opposite of what it is now. The rule should warn whenever an image is referenced without a digest. And the rule text should explain that it’s important to monitor for image updates, just like it’s important to monitor for updates to any dependency, and ideally use a automated tool (such as Dependency Bot or Renovate) or other security scanning software (such as Snyk) to do so.