• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

https://github.com/hadolint/hadolint/wiki/DL3018 should also match install-php-extensions.

In my Dockerfiles I often use https://github.com/mlocati/docker-php-extension-installer.

Finding DL3018 triggers on apk add lines without pinned version. However, not on the the install-php-extensions line, where the same finding should apply to.

Expected behavior

Examples that should trigger DL3018 for not using version pinning:

RUN chmod +x /usr/local/bin/install-php-extensions && \
    install-php-extensions gd iconv mysqli mbstring @composer

Examples that should not trigger DL3018 because they have versions pinned:

RUN chmod +x /usr/local/bin/install-php-extensions && \
    install-php-extensions xdebug-2.9.7

# Install the most recent xdebug 2.x version (for example 2.9.8)
RUN install-php-extensions xdebug-^2

# Install the most recent xdebug 2.8.x version (for example 2.8.1)
RUN install-php-extensions xdebug-^2.8

# Install the most recent STABLE xdebug 3.x version (for example 3.2.2)
RUN install-php-extensions xdebug-^3@stable

Keep in mind that multiple packages can be add in one line (as on the first example) but the same logic applies already to apk as well. Documentation on version pinning syntax is here: https://github.com/mlocati/docker-php-extension-installer?tab=readme-ov-file#installing-specific-versions-of-an-extension.

The same applies on composer rules that do not use version pinning such as:

RUN composer require mpdf/mpdf

See Composer version pinning examples here: https://stackoverflow.com/questions/40914114/how-to-install-a-specific-version-of-package-using-composer.

The same applies on using go install commands like:

go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest