When to Use
- Digest verification: Retrieve the image's
RepoDigests before deploying to production and compare against the expected sha256 from your release manifest to ensure supply-chain integrity.
- Dynamic port binding: Extract
Config.ExposedPorts from the image definition to programmatically generate the correct host-port mapping when creating containers.
- Version metadata: Read
Config.Labels["org.opencontainers.image.version"] to surface the semantic version embedded in OCI image annotations.
- Freshness enforcement: Check
Created timestamp against a maximum-age policy; route to an image/pull node if the cached image is older than the threshold.
- Documentation generation: Retrieve default environment variables from
Config.Env to auto-populate deployment documentation or runbook templates.
Configuration
Connection
| Field | Type | Default | Description |
dockerHost | string | unix:///var/run/docker.sock | Docker daemon socket path or TCP endpoint. |
connectionType | string | unixsocket | One of: unixsocket, tcp, tcptls. |
tlsCertPath | string | — | TLS certificate directory. Required when connectionType is tcptls. optional |
timeoutSeconds | int | 30 | Operation timeout in seconds. optional |
Operation Fields
| Field | Type | Badge | Description |
Repository | string | required | Image name with optional tag or digest (e.g., nginx:1.25, sha256:a3562aa…). |
Sample Configuration
{
"resource": "image",
"operation": "inspect",
"connection": {
"dockerHost": "unix:///var/run/docker.sock",
"connectionType": "unixsocket"
},
"Repository": "nginx:1.25"
}
Validation Errors
| Error Code | Condition | Resolution |
MISSING_INPUT | Repository field is empty. | Provide an image name, tag, or digest. |
NOT_FOUND | The specified image does not exist on the host. | Run image/pull first or verify the image name. |
CONFIG_ERROR | Connection settings malformed. | Check dockerHost and connectionType. |
AUTH_FAILED | TLS handshake failed. | Verify tlsCertPath contains valid certificates. |
DOCKER_API_ERROR | Daemon returned an unexpected error. | Check Docker daemon logs on the host. |
Output
Success Port
| Field | Type | Description |
status | string | "ok" on success. |
resource | string | "image" |
operation | string | "inspect" |
imageInfo.Id | string | Full sha256 image ID. |
imageInfo.RepoTags | string[] | All tags associated with this image. |
imageInfo.RepoDigests | string[] | Content-addressable digests from registries. |
imageInfo.Created | string | ISO 8601 creation timestamp. |
imageInfo.Size | int | Image size in bytes. |
imageInfo.VirtualSize | int | Virtual size including shared layers. |
imageInfo.Config.Cmd | string[] | Default command defined in the image. |
imageInfo.Config.Env | string[] | Default environment variables (KEY=VALUE format). |
imageInfo.Config.ExposedPorts | object | Ports declared in the image (e.g., {"80/tcp": {}}). |
imageInfo.Config.Labels | object | Image labels including OCI annotations. |
imageInfo.Config.WorkingDir | string | Default working directory inside the container. |
imageInfo.RootFS.Layers | string[] | Array of layer digest strings. |
Error Port
Fires when the operation fails. Output contains status: "error", errorCode, and errorMessage.
Sample Output
{
"status": "ok",
"resource": "image",
"operation": "inspect",
"imageInfo": {
"Id": "sha256:a3562aa0b991bc928a4f7e91bb2b8d8c3f16fab56a4cb7c2c07d3f2d0c2e9e1a",
"RepoTags": ["nginx:1.25"],
"RepoDigests": ["nginx@sha256:593dac25b7733ffb7afe1a72649a43e574778bf025ad60514ef40f6b5d606247"],
"Created": "2024-05-27T10:00:00Z",
"Size": 186942464,
"VirtualSize": 186942464,
"Config": {
"Cmd": ["nginx", "-g", "daemon off;"],
"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.25.3"],
"ExposedPorts": { "80/tcp": {} },
"Labels": {
"maintainer": "NGINX Docker Maintainers",
"org.opencontainers.image.version": "1.25.3"
},
"WorkingDir": ""
},
"RootFS": {
"Layers": [
"sha256:7264a8db6415046d36d16ba98b79778e18accee6ffa71850405994cffa9be7de",
"sha256:2c40c66f7667b5ef8c3ef66173a4a95f66b5e72e25f6c14bb0a8ac9f0bc5b3ae"
]
}
}
}
Expression Reference
| Expression | Returns |
{{ $output.imageInfo.Id }} | Full sha256 image ID. |
{{ $output.imageInfo.RepoDigests[0] }} | First registry digest for supply-chain verification. |
{{ $output.imageInfo.Config.Labels['org.opencontainers.image.version'] }} | OCI semantic version label. |
{{ $output.imageInfo.Config.ExposedPorts }} | Object of exposed port declarations. |
{{ $output.imageInfo.Created }} | ISO 8601 image creation timestamp. |
Node Policies & GuardRails
| Policy | Enforcement |
| Never expose Docker daemon TCP without TLS | Use tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles. |
| Store TLS certificates in Credentials Manager | Reference tlsCertPath via {{ $credentials.dockerTlsCertPath }} — never hard-code paths. |
| Verify image digest before production deploy | Compare imageInfo.RepoDigests[0] against your release manifest's expected digest. Route to abort node on mismatch. |
| Never interpolate user input into the Repository field | The image name must come from a trusted workflow variable, not raw user input, to prevent path injection. |
| Always handle the error port | A NOT_FOUND error means the image was never pulled — always wire the error port to an alerting or pull-and-retry flow. |
| Restrict container/exec to approved commands | Arbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes. |
Examples
Example 1 — Digest Verification Before Deploy
Inspect the image to retrieve its registry digest, then compare to the expected value stored in a workflow variable before proceeding to container creation.
{
"resource": "image",
"operation": "inspect",
"Repository": "{{ $vars.deployImage }}"
}
// Downstream condition:
// {{ $output.imageInfo.RepoDigests[0] === $vars.expectedDigest }}
Example 2 — Extract Ports for Dynamic Port Binding
Read Config.ExposedPorts from the image and pass the keys to a downstream container/create node to build port mappings automatically.
// Get the first exposed port key (e.g., "80/tcp"):
{{ Object.keys($output.imageInfo.Config.ExposedPorts)[0] }}
// Strip "/tcp" suffix to get port number:
{{ Object.keys($output.imageInfo.Config.ExposedPorts)[0].split('/')[0] }}
Example 3 — Freshness Gate
Compare the image creation date against a max-age threshold. If the image is stale, route to an image/pull node to refresh it.
// Calculate age in days:
{{ Math.floor((Date.now() - new Date($output.imageInfo.Created).getTime()) / 86400000) }}
// Route condition (stale if older than 7 days):
// {{ imageAgeDays > 7 }}