← all rules
iac/dockerfile/dockerfile-base-image-eol
End-of-life base image
What it detects
A base image past its end-of-life no longer receives security updates, so unpatched OS/runtime CVEs accumulate in every layer built on it.
Remediation
Upgrade to a currently-supported release of the base image and rebuild; pin to a digest once on a supported tag.
How it runs
Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.