← all rules

iac/dockerfile/dockerfile-base-image-eol

End-of-life base image

highDockerfileiac-dockerfileCWE-1104

What it detects

A base image past its end-of-life no longer receives security updates, so unpatched OS/runtime CVEs accumulate in every layer built on it.

Remediation

Upgrade to a currently-supported release of the base image and rebuild; pin to a digest once on a supported tag.

How it runs

Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.