DL3006 : Always tag the version of an image explicitly

Description

Specify an explicit tag or digest for images in FROM instructions. Untagged images can lead to unpredictable builds.

Goals

• Ensure deterministic builds by pinning base image versions.
• Avoid unintended image updates due to unpinned tags.

Specification

1. For each build stage, examine the base image in its FROM instruction.
2. If the image is an alias to a previous stage, scratch, or starts with a variable ($), skip the check.
3. If the image contains a digest using @, the check passes.
4. Otherwise, split the image on :. If no tag is present, emit DL3006 at the FROM line.

(c) 2025 Asymmetric Effort, LLC. scaldwell@asymmetric-effort.com