5.27 Ensure docker commands always get the latest version of the image


Always ensure that you are using the latest version of the image within your repository and not the cached older versions.
Multiple docker commands such as docker pull, docker run, etc. are known to have an issue that by default, they extract the local copy of the image, if present, even though there is an updated version of the image with the "same tag" in the upstream repository. This could lead to using older and vulnerable images.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Use proper version pinning mechanisms (the latest tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting the cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images too. You can customize version pinning rules as per your requirements.

Default Value:
By default, docker commands extract the local copy unless version pinning mechanisms are used or the local cache is cleared.

See Also