← all rules

iac/helm/helm-image-latest-tag

Helm values pin an image to a mutable tag

lowHelmiac-helm

What it detects

An image `tag: latest` (or an empty tag) makes deployments non-reproducible and silently pulls new, unreviewed image contents — including newly introduced vulnerabilities.

Remediation

Pin `tag` to a specific version, ideally a digest (`tag: "1.2.3"` / `digest: sha256:...`).

How it runs

Run against Helm chart values files (values.yaml / values-*.yaml), which aren't rendered manifests so the Kubernetes layer skips them. Line-based checks for insecure chart defaults that propagate into every rendered workload.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.