Early access Faultline Teams — organizational memory for recurring CI failures across repos

Docker base image uses a floating latest tag

A Dockerfile uses a `:latest` base image tag, so rebuilds can pull different bytes over time without a source change.

floating-docker-base-image medium confidence build docker

Docker base image uses a floating latest tag

What this failure means

A Dockerfile uses a :latest base image tag, so rebuilds can pull different bytes over time without a source change.

Diagnosis

The Docker base image is mutable. CI builds that rely on :latest can become non-reproducible when the upstream image moves.

Fix steps

  1. Replace :latest with a specific version tag that matches the supported runtime.
  2. For release images, pin the base image by digest or use an automated dependency update workflow.
  3. Rebuild the image and commit the intended base version in the Dockerfile.

Validation

  • Run faultline inspect . from the repository root and confirm this source finding is absent or intentionally mitigated.
  • Build the Docker image from a clean cache and confirm it uses the pinned base image.

Why it matters

Floating base images make builds change without a repository diff. That can introduce dependency, OS package, architecture, and runtime changes that are hard to reproduce after CI fails.

Try it locally

make test
rg -n latest Dockerfile
make test
docker build .

How Faultline detects it

Use faultline explain floating-docker-base-image to see the full playbook.

faultline analyze build.log
faultline explain floating-docker-base-image

Generated from playbooks/bundled/source/floating-docker-base-image.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.