{"id":367787,"date":"2021-11-16T14:00:22","date_gmt":"2021-11-16T11:00:22","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/"},"modified":"2021-11-16T14:00:22","modified_gmt":"2021-11-16T11:00:22","slug":"how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/","title":{"rendered":"#How to Inspect a Docker Image\u2019s Content Without Starting a Container \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e6f4963be5\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e6f4963be5\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/#Creating_a_Container_Without_Starting_It\" >Creating a Container Without Starting It<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/#Exporting_the_Containers_Filesystem\" >Exporting the Container\u2019s Filesystem<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/#Using_%E2%80%9Cdocker_image_save%E2%80%9D\" >Using \u201cdocker image save\u201d<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/#Listing_Layers_With_%E2%80%9Cdocker_image_history%E2%80%9D\" >Listing Layers With \u201cdocker image history\u201d<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-inspect-a-docker-images-content-without-starting-a-container-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Inspect a Docker Image\u2019s Content Without Starting a Container \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-14169\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/993634a1.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/993634a1.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/993634a1.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Docker images can bundle arbitrary binaries and libraries into a single blob of data. Inspecting what\u2019s actually inside an image helps you assess its suitability and identify any security hazards.<\/p>\n<p>The easiest way to explore an image\u2019s content involves starting a container, getting a shell session, and then using regular terminal commands like <code>ls<\/code> and <code>cd<\/code> to view its directory structure from within. This isn\u2019t ideal in security-critical environments though \u2013 creating a container with an unknown image could expose you to a malicious entrypoint <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">script<\/a>.<\/p>\n<p>Here are techniques you can use to inspect an image\u2019s files without starting a container.<\/p>\n<h2 id=\"creating-a-container-without-starting-it\"><span class=\"ez-toc-section\" id=\"Creating_a_Container_Without_Starting_It\"><\/span>Creating a Container Without Starting It<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><code>docker create<\/code> is a lesser-known counterpart to <code>docker run<\/code>. It creates a new container atop a given image without starting it. You could launch it later on with the <code>docker start<\/code> command.<\/p>\n<p>Creating a new container isn\u2019t dangerous as it\u2019ll stay inert until it\u2019s run. You can roughly liken it to defining the config settings for a VM which you don\u2019t use. Even if it\u2019s set to boot from a tainted operating system ISO, you\u2019re not going to cause any damage to your environment.<\/p>\n<pre>docker create --name suspect-container suspect-image:latest<\/pre>\n<p>The command above creates a new container called <code>suspect-container<\/code> that will be based on the <code>suspect-image:latest<\/code> image.<\/p>\n<h2 id=\"exporting-the-containers-filesystem\"><span class=\"ez-toc-section\" id=\"Exporting_the_Containers_Filesystem\"><\/span>Exporting the Container\u2019s Filesystem<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now you\u2019ve got a valid but stopped container, you can export its filesystem using the <code>docker export<\/code> command. As the container\u2019s never been started, you can be sure the export accurately represents the filesystem defined by your image\u2019s layers.<\/p>\n<pre>docker export suspect-container &gt; suspect-container.tar<\/pre>\n<p>You\u2019ll end up with a tar archive in your working directory that contains everything inside your image. Open or extract this archive using your favorite software to browse the image\u2019s directories and list and view files.<\/p>\n<p>If you don\u2019t need to save or open the archive, instead preferring to get the file list in your terminal, modify the <code>tar<\/code> command:<\/p>\n<pre>docker export suspect-container | tar t &gt; suspect-container-files.txt<\/pre>\n<p><code>tar t<\/code> lists the contents of the input archive. You\u2019ll end up with a list of everything in your image inside <code>suspect-container-files.txt<\/code>.<\/p>\n<h2 id=\"using-docker-image-save\"><span class=\"ez-toc-section\" id=\"Using_%E2%80%9Cdocker_image_save%E2%80%9D\"><\/span>Using \u201cdocker image save\u201d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A variation on this technique is using <code>docker image save<\/code>. This command directly saves an image\u2019s data to a tar archive.<\/p>\n<pre>docker image save suspect-image:latest &gt; suspect-image.tar<\/pre>\n<p>This method produces an archive that\u2019s focused on the image, not containers created from it. The tar will include a <code>manifest.json<\/code> file, describing the image\u2019s layers, and a set of directories containing the content of all the individual layers.<\/p>\n<p>This is helpful when you\u2019re evaluating each layer\u2019s role in building the image. However, creating and exporting a stopped container is a more accessible way to browse the image\u2019s final filesystem.<\/p>\n<h2 id=\"listing-layers-with-docker-image-history\"><span class=\"ez-toc-section\" id=\"Listing_Layers_With_%E2%80%9Cdocker_image_history%E2%80%9D\"><\/span>Listing Layers With \u201cdocker image history\u201d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Another way of inspecting an image\u2019s content is to view its layer list with the <code>docker image history<\/code> command.<\/p>\n<pre>docker image history suspect-image:latest<\/pre>\n<p>This exposes the Dockerfile instructions that composed the image\u2019s layers. It won\u2019t let you see individual files and directories in the image\u2019s filesystem but can more be effective at highlighting suspect behavior.<\/p>\n<p>Each line in the command\u2019s output represents a new layer in the image. The \u201cCREATED BY\u201d column shows the Dockerfile instruction that created the layer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14666\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/d98f8a38.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1161\" height=\"452\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Scanning the layer list helps you quickly identify suspicious actions that could indicate you\u2019re using a malicious image. Look for unknown binaries in <code>RUN<\/code> instructions, unexpected environment variable changes, and suspicious <code>CMD<\/code> and <code>ENTRYPOINT<\/code> statements.<\/p>\n<p>The latter two layers are arguably the most important to assess when inspecting an image\u2019s history. They tell you exactly what will launch when you <code>docker run<\/code> or <code>docker start<\/code> a container. If either instruction looks suspicious or unfamiliar, consider using the techniques above to fully inspect the referenced binaries or scripts.<\/p>\n<p>Accessing an image\u2019s filesystem provides a very granular view of its contents where malicious content can easily go unnoticed, even after manual inspection. The layer list exposed by <code>docker image history<\/code> can\u2019t help you find disguised filesystem items but is more effective at surfacing blatantly malicious operations such as furtive spyware downloads or environment variable overrides.<\/p>\n<p>Third-party open-source tools are also available to help you list the content of images. These typically offer filtering capabilities so you can quickly enumerate installed operating system packages, programming language dependencies, and ordinary files.<\/p>\n<p>Image inspection <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.anchore.com\/3.0\/docs\/using\/cli_usage\/images\/inspecting_image_content\">is built into<\/a> the Anchore container scanning engine. You can use it by running <code>anchore-cli image content my-image:latest<\/code> after you\u2019ve <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.anchore.com\/3.0\/docs\/installation\">installed Anchore<\/a>. This provides a complete list of the target image\u2019s filesystem contents.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14667\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/7beeba46.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"964\" height=\"537\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Another option is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/wagoodman\/dive\">Dive<\/a>, a tool expressly built for visualizing image content. It uses a layer-based approach and highlights the filesystem changes made with each new layer. You browse through the filesystem using a tree-based interactive terminal view.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker images are usually opaque at the point of consumption. Popular registries don\u2019t provide a file listing in their APIs or user interfaces. This functionality isn\u2019t integrated into the Docker CLI either. Although many developers use images as-is, an unaudited image may be intolerable in high-risk environments.<\/p>\n<p>You can inspect a suspect image by exporting it to an archive and browsing through its content. This keeps the image inert, preventing malicious content from being run, while providing a complete view of the filesystem it would create in a container.<\/p>\n<p>You can further boost your security posture by combining manual content exploration with automated image scans. These accelerate the process of detecting known vulnerabilities but may not be effective at finding new malicious files deposited in concealed locations. Using multiple techniques lets you spread your coverage and catch the widest possible set of suspect files.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14663\/how-to-inspect-a-docker-images-content-without-starting-a-container\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Inspect a Docker Image\u2019s Content Without Starting a Container \u2013 CloudSavvy IT&#8221; Docker images can bundle arbitrary binaries and libraries into a single blob of data. Inspecting what\u2019s actually inside an image helps you assess its suitability and identify any security hazards. The easiest way to explore an image\u2019s content involves starting a&#8230;<\/p>\n","protected":false},"author":1,"featured_media":367788,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/993634a1.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-367787","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/367787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=367787"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/367787\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/367788"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=367787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=367787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=367787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}