1 files changed, 39 insertions, 0 deletions

diff --git a/src/ansiblelint/rules/latest.py b/src/ansiblelint/rules/latest.py
new file mode 100644
index 0000000..a21fdf5
--- /dev/null
+++ b/src/ansiblelint/rules/latest.py
@@ -0,0 +1,39 @@
+"""Implementation of latest rule."""
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any
+
+from ansiblelint.errors import MatchError
+from ansiblelint.rules import AnsibleLintRule
+
+if TYPE_CHECKING:
+    from ansiblelint.file_utils import Lintable
+
+
+class LatestRule(AnsibleLintRule):
+    """Result of the command may vary on subsequent runs."""
+
+    id = "latest"
+    description = (
+        "All version control checkouts must point to "
+        "an explicit commit or tag, not just ``latest``"
+    )
+    severity = "MEDIUM"
+    tags = ["idempotency"]
+    version_added = "v6.5.2"
+
+    def matchtask(
+        self, task: dict[str, Any], file: Lintable | None = None
+    ) -> bool | str | MatchError:
+        """Check if module args are safe."""
+        if (
+            task["action"]["__ansible_module__"] == "git"
+            and task["action"].get("version", "HEAD") == "HEAD"
+        ):
+            return self.create_matcherror(tag="latest[git]", filename=file)
+        if (
+            task["action"]["__ansible_module__"] == "hg"
+            and task["action"].get("revision", "default") == "default"
+        ):
+            return self.create_matcherror(tag="latest[hg]", filename=file)
+        return False