HiveBrain v1.2.0
Get Started
← Back to all entries
snippetdockerMinor

How to know where a docker image came from?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
imagecameknowdockerwherehowfrom

Problem

I have a Docker image on my system 12346789ABCD.

Is there a way to know where it is coming from?

Specifically, I would like to know if it was built locally or downloaded from a repository, and in that latter case, downloaded from which repository.

Solution

Typically, if it's from a registry, you see that in the name of the image (if it's not from the default registry, Docker Hub). Images from Quay look like quay.io//:.

Some images are from from anywhere else at all. For example images that are FROM: scratch and images created via docker import will not be associated with any registry. These are the famous none:none images (no repository and no tag). In this case, you only have the ID (SHA) and you need do be Sherlock Holmes (or Jessie Frazelle) to match it with something.

So, you can only see what is written in the manifest. Should you trust it? The manifest can be signed, using docker content trust even if the image contents themselves are not. If you need more certainty on the provenance, you probably need notary to ensure that trust is maintained throughout the delegation chain.

Hope that answers the question.

Context

StackExchange DevOps Q#5611, answer score: 5

Revisions (0)

No revisions yet.