Mutable 'Latest' Docker Tag in CI/CD Pipeline Raises Supply Chain Attack Risk for IoT-Wall API

A security review has identified a critical configuration weakness in the CI/CD pipeline responsible for building and publishing the IoT-Wall API container images. The pipeline at `.github/workflows/api-build.yml` (lines 88–89) simultaneously pushes Docker images with two tagging strategies: an immutable SHA-based tag and a mutable `latest` tag. While the SHA reference guarantees image immutability, the parallel use of the `latest` tag introduces a supply chain vulnerability that undermines that protection if deployment configurations reference it.

The mechanism is straightforward but dangerous in practice. Each build overwrites the `latest` tag with whatever image was most recently processed, regardless of its contents or provenance. If any deployment, documentation, internal configuration, or automated system pulls `iot-wall-api:latest`, a compromised build or registry access could result in a malicious image being automatically distributed to production environments. The attack surface extends beyond direct pipeline compromise—an attacker gaining access to the Azure Container Registry or manipulating build artifacts could overwrite the mutable tag before containers next pull the image.

Security researchers have classified this finding under OWASP Category A08:2021 (Software and Data Integrity Failures), with severity rated as Low given existing mitigations. The immutable SHA tag provides a robust defense when consistently used for all production deployments. However, the mere existence of the mutable `latest` tag creates ongoing risk of accidental or purposeful misuse. Organizations operating similar pipelines are advised to audit all references to `latest` tags, enforce SHA-based image pinning in deployment configurations, and consider removing mutable tags entirely from production-oriented registries. The vulnerability demonstrates how a single configuration option can expose software supply chains to substitution attacks even when immutable tagging infrastructure exists.