BUG - pinned dockerfile marked as not pinned

[Kielek]

Describe the bug
In OpenTelemetry .NET SDK repository we have a Dockerfile allowing to build content using different versions of docker image based on the arguments. See https://github.com/open-telemetry/opentelemetry-dotnet/blob/f153e130b46844b023ccde867d00ed757260969c/examples/MicroserviceExample/WorkerService/Dockerfile

It leads to follwoing issue

score is 7: containerImage not pinned by hash
Click Remediation section below to solve this issue

Reproduction steps

The simplified file allowing to reproduce issue:

ARG SDK_VERSION=9.0

FROM mcr.microsoft.com/dotnet/sdk:8.0.413@sha256:45e41fe52eb60f42bd75c83b7e8bfff0523e031e042b4c1fc7ddb9c348898c64 AS dotnet-sdk-8.0
FROM mcr.microsoft.com/dotnet/sdk:9.0.304@sha256:840f3b62b9742dde4461a3c31e38ffd34d41d7d33afd39c378cfcfd5dcb82bd5 AS dotnet-sdk-9.0

FROM dotnet-sdk-${SDK_VERSION} AS build

Expected behavior
Dockerfile constructed in this way are recognized as pinned.

Additional context
Alternative option - possibility to mark this case as false positive to pass pinned step https://scorecard.dev/viewer/?uri=github.com/open-telemetry/opentelemetry-dotnet

[spencerschrock]

#3684 is the main issue for this, which had an old unsubmitted fix. #4780 should take care of it.

go run main.go --repo open-telemetry/opentelemetry-dotnet --checks Pinned-Dependencies --format json --show-details | jq
{
  "date": "2025-09-05T09:53:46-06:00",
  "repo": {
    "name": "github.com/open-telemetry/opentelemetry-dotnet",
    "commit": "f153e130b46844b023ccde867d00ed757260969c"
  },
  "scorecard": {
    "version": "devel",
    "commit": "unknown"
  },

... omitted ...

"Info:  21 out of  21 containerImage dependencies pinned",

... omitted ...

[Kielek]

@spencerschrock, thank you! Please let me know when I can expect the release containing fix.