These typically offer filtering capabilities so you can quickly enumerate installed operating system packages, programming language dependencies, and ordinary files. Third-party open-source tools are also available to help you list the content of images. The layer list exposed by docker image history can’t help you find disguised filesystem items but is more effective at surfacing blatantly malicious operations such as furtive spyware downloads or environment variable overrides. For example uses of this command, refer to the examples section below. By default, docker inspect will render results in a JSON array. Docker inspect provides detailed information on constructs controlled by Docker.
#Docker inspect format manual#
If either instruction looks suspicious or unfamiliar, consider using the techniques above to fully inspect the referenced binaries or scripts.Īccessing an image’s filesystem provides a very granular view of its contents where malicious content can easily go unnoticed, even after manual inspection. Refer to the options section for an overview of available OPTIONS for this command. They tell you exactly what will launch when you docker run or docker start a container. The latter two layers are arguably the most important to assess when inspecting an image’s history. Look for unknown binaries in RUN instructions, unexpected environment variable changes, and suspicious CMD and ENTRYPOINT statements.
![docker inspect format docker inspect format](https://cdn-ak.f.st-hatena.com/images/fotolife/i/igatea/20171210/20171210170200.png)
Scanning the layer list helps you quickly identify suspicious actions that could indicate you’re using a malicious image.
![docker inspect format docker inspect format](https://testdriven.io/static/images/blog/flask-docker-swarm/visualizer3.png)
The “CREATED BY” column shows the Dockerfile instruction that created the layer. Each line in the command’s output represents a new layer in the image.