[HIGH] Multiple services use unpinned :latest container image tags #18

New issue

Open

opened 2026-05-05 15:44:27 -05:00 by pjennings · 0 comments

pjennings commented 2026-05-05 15:44:27 -05:00

Owner

Copy link

Labels: area:security, area:containers, priority:high, type:enhancement

Description

The following containers use 'latest' or unpinned tags:

• stalwartOne: stalwartlabs/stalwart:latest
• jaeger: jaegertracing/all-in-one:latest
• grafana: grafana/grafana:latest
• pgadmin4: dpage/pgadmin4:latest
• redisInsight: redis/redisinsight:latest
• paperless-ngx: ghcr.io/paperless-ngx/paperless-ngx:latest
• pelican-panel: ghcr.io/pelican-dev/panel:latest
• ocis: owncloud/ocis:latest
• otel-collector: otel/opentelemetry-collector-contrib:latest
• prometheus: prom/prometheus:latest

Impact

1. Supply chain risk: compromised upstream images auto-pulled
2. Breaking changes: updates can break configs without warning
3. Non-reproducible builds

Recommended Fix

1. Pin all images to specific version tags
2. Use Renovate/Dependabot for managed updates
3. For critical services, pin to image digests

**Labels:** area:security, area:containers, priority:high, type:enhancement ## Description The following containers use 'latest' or unpinned tags: - stalwartOne: stalwartlabs/stalwart:latest - jaeger: jaegertracing/all-in-one:latest - grafana: grafana/grafana:latest - pgadmin4: dpage/pgadmin4:latest - redisInsight: redis/redisinsight:latest - paperless-ngx: ghcr.io/paperless-ngx/paperless-ngx:latest - pelican-panel: ghcr.io/pelican-dev/panel:latest - ocis: owncloud/ocis:latest - otel-collector: otel/opentelemetry-collector-contrib:latest - prometheus: prom/prometheus:latest ## Impact 1. Supply chain risk: compromised upstream images auto-pulled 2. Breaking changes: updates can break configs without warning 3. Non-reproducible builds ## Recommended Fix 1. Pin all images to specific version tags 2. Use Renovate/Dependabot for managed updates 3. For critical services, pin to image digests

pjennings added this to the Security: High Findings milestone 2026-05-06 16:47:21 -05:00

pjennings added the

area:security

priority:high

type:bug

labels 2026-05-06 16:49:23 -05:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

indev

No results found.

Labels

Clear labels   

area:documentation

Documentation, inventory, runbooks

  

area:infrastructure

Infrastructure services and hardware

  

area:network

Network, firewall, and connectivity

  

area:security

Security vulnerabilities and findings

  

priority:critical

Fix immediately — active risk

  

priority:high

Fix within 1-2 weeks

  

priority:low

Backlog — hardening and best practices

  

priority:medium

Fix within 1 month

  

status:blocked

Blocked on dependency or decision

  

type:bug

Misconfiguration or broken behavior

  

type:deployment

New service or system deployment

  

type:enhancement

Improvement or hardening

  

type:investigation

Needs research or identification

No labels

area:documentation

area:infrastructure

area:network

area:security

priority:critical

priority:high

priority:low

priority:medium

status:blocked

type:bug

type:deployment

type:enhancement

type:investigation

Milestone

Clear milestone

No items

No milestone

Security: High Findings

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

reinitialized.net/infrastructure#18

No description provided.